M2M Applications being generated with unreasonably large access tokens

When attempting to implement a recently created Machine to Machine application, generating an access token then passing it to a node.js application that uses said application returned the following:


<html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>nginx</center>
</body>
</html>

On account of the access token generated being over 18K characters long.

Researching what to do about this issue led me to understand that Auth0 had a setting to handle this issue (How do I enable/disable the Fixed Length of Access Token and Authorization Code?) but removed it, which is frustrating.

That being the case, I can avoid the issue by increasing the nginx service’s

large_client_header_buffers

But is there a way to avoid doing so? If not, how large should I expect the tokens to potentially be?

Hi there @bryceb welcome to the community!

Are you adding any custom claims to the token? I would definitely audit all claims regardless, including only necessary permissions.

None, and our m2m application with an identical configuration in our dev tenant does not have this issue.

1 Like

Thanks for clarifying, that’s odd :thinking: Are there any obvious differences between a dev m2m access token token and prod when compared at jwt.io?

Hello again.

I may have misunderstood the initial post, but after examining the token on jwt.io, it seems that the number of permissions applied to the m2m application (the one in my dev environment was set up by another developer for another purpose, then reused for another task much later) was the key issue. This has now been resolved.

Thank you kindly for your assistance.

1 Like

Hey there @bryceb!

Thanks for following up on this and glad to hear you were able to get it sorted :pray:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.