Last Updated: Jan 9, 2025
Overview
When an end user logs in, the user gets an error The generated token is too large.
This error message is returned to the application as a URL hash fragment:
https://example.com/callback#error=invalid_request&error_description=The%20generated%20token%20is%20too%20large.%20Try%20with%20more%20specific%20scopes.
This article explains the cause of the error message and the workaround.
Applies To
- Authentication API
- OIDC
- Token
Cause
When the ID Token is to be returned as a hash fragment (for example, implicit flow, hybrid flow), the server will check its size because the length of the URL can have a limit.
- The maximum length depends on the environment.
If the size of the ID Token exceeds 3.5 kb, the server returns this error message.
NOTE: The maximum length of 3.5 kb is not guaranteed as Auth0’s official spec. It can be subject to change in the future without prior notice.
Solution
(1) Reduce the size of the ID Token
- Make the client application OIDC conformant according to the OpenID Connect Protocol. This ensures that only OIDC standard information is included in the issued ID Token, which will significantly decrease the chances of hitting this error
- Remove unnecessary scopes. If an Action is adding custom claims to the ID Token, ensure that the additional values are sufficiently small
- If requesting user information from a social identity provider, request the minimum number of scopes that the application would need
(2) Use a different flow than the implicit flow
For example, the Authorization Code Flow, which does not have the 3.5 kb size limitation for the ID Token.
NOTE:
If the application is built with Lock SDK,
- Lock performs a request when starting up to see if there’s already an authenticated session. It does so with scope=openid profile email and a response type of token id_token.
- A response type of token id_token has the associated default response mode of using the fragment or hash component of the redirect URL as the way to respond with the requested token
- A web browser typically puts limits on the length of a URL, so the server side of the Auth0 service will check the generated token size when the response mode implies including tokens in the URL and fails the request completely because it goes beyond a certain size; this is better than leaving the browser to then not handle the full URL and possibly failing silently
- Currently, the server side always assumes that for a response type of token id_token, the tokens will be included in the fragment of the URL even when the request is performed with an explicit response mode that would not trigger tokens in the URL. Lock 11 makes the request with response_mode=web_message, which would not be subject to browser limits