Variable Length Authorization Code and Access Token Max Size

blairt · October 21, 2021, 5:36pm

Hello, I think its great that Auth0 is supporting RFC 6749 specifications. I have switched off the fixed length size for auth codes and access tokens, but it still would be nice to know the max sizes that could be returned.

In addition to the spec mentioning “The authorization code string size is left undefined by this specification. The client should avoid making assumptions about code value sizes.”, the spec also mentions “The authorization server SHOULD document the size of any value it issues.”

Is there any such documentation?

Thanks.

dan.woda · October 21, 2021, 9:41pm

Hi @blairt,

Welcome to the Auth0 Community!

Thanks for reaching out on this. As far as I know, we don’t have docs on token and auth code sizes, but I am investigating and will update here with my findings.

dan.woda · November 1, 2021, 8:39pm

Here is the update:

For a token that is meant to be used with the userinfo endpoint, the customer is safe to assume that the size of the token will not exceed 4096 characters.

In the general case, the exact content of access tokens cannot be determined beforehand (e.g scopes and claims can vary in number and size depending on circumstances) hence no specific guidance about size is given.

system · November 16, 2021, 8:40pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.