Issue
- We store several things in our OpenID access token and when a user tries to log in, it fails because the token size exceeds the 3000-character limit specified in the ACCESSTOKEN column of the OPENIDCONNECTSESSION table
Environment
- Liferay DXP 7.2+
- Oracle database
Resolution
- The character limits were set taking industry standards into consideration. For example, the idToken column has a varchar(3999) size limit set because it is the maximum varchar size in the Liferay service builder. If the size passes beyond 3999, it becomes text or blob type which slows down the entry lookup.
- The limit is going to be a function of HTTP headers supported by the various HTTP sub-systems like proxies, tomcat, nginx, and so on. There is no maximum size defined by specification, however, the average industry size is 8KB. Note that that is for the total size of the header. Now you have to leave room for the various fields/signatures/hashing stored in a compliant OIDC (JWT) token and this leaves on average about 4KB of leftover space to play with. If the token's size is 7KB, that is almost the full header size.
- These tokens are only limited in size by the HTTP header, and OAuth and OIDC specifications do not regulate the size. OIDC tokens are shared using HTTP headers, so it needs to be ensured that the infrastructure can support the size, and having a fixed limit ensures that the entire infrastructure will not fail.
- Therefore it's a necessary limitation from Liferay's side, and we recommend reducing the token size to make the 3KB limit.
Conteúdo Excluesivo para Assinantes
Uma Subscrição do Liferay Enterprise fornece acesso a mais de 1.500 artigos que incluem práticas recomendadas, solução de problemas e outras soluções valiosas. Faça login para obter acesso completo.
Entrar