OAuth Server and Bearer Token Size Limit

I was building an OAuth Server using the Microsoft stack of OWIN components and learned that it is not good to keep adding an indefinite number of claims to the bearer token returned by the OAuth Server. There is no hard limit, but if you create a bearer token over 2KB then you might start to see problems when using different tools. This started to happen in a software project I was working on when the number of claims created a bearer token over 4KB. A tool the QA team was using for testing started to have issues.

As a rule of thumb, I try to limit bearer tokens to under 2KB now.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s