balmas
commented
2 years ago I don't think we rely on the size of the tokens from Auth0 anywhere but we should verify that.
Closed balmas closed 2 years ago
balmas
commented
2 years ago I don't think we rely on the size of the tokens from Auth0 anywhere but we should verify that.
irina060981
commented
2 years ago I didn't find any checks for tokens size - so I think it doesn't related to us
Message from Auth0:
Action Required: Authorization Code and Access Token Variable Size
Dear Auth0 Customer,
Your action is required by April 12, 2022 to ensure that your system does not rely on a specific size for the Access Token and authorization code and instead can handle a variable size of these credentials.
What is changing?
Access Tokens and authorization codes are types of OAuth credentials issued by the Auth0 platform in various flows.
Currently, the Access Token and authorization code sizes are fixed. Auth0 will soon change these to variable size.
Your action is required to ensure your system does not rely on a specific size for the Access Token and authorization code and instead can handle a variable size of these credentials.
Why are we making this change?
The OAuth specification indicates that clients should not make any assumptions about the size of these credentials. See the following two quotes from the OAuth specification:
The current size of the authorization code is shorter than what some security practitioners recommend. Through this change, Auth0 provides a stronger code and token, which mitigates this concern. Additionally, this change will improve the performance of Auth0 systems.
The Auth0 platform, in some situations, issues a fixed-size opaque Access Token that is an identifier to information in a server’s persistent storage (see the following for more information about opaque access tokens). We plan to change that and instead issue a self-contained opaque Access Token to remove the need for persistently storing the access tokens to enhance the performance of the Auth0 platform.
How are you affected?
If your system relies on the fact that the Access Tokens and/or authorization codes are of a specific size, you will be affected by this change. Please note that if you use our SDKs/quickstarts as a reference point to configure your applications, you are not likely to be affected by this change.
If you store the Access Token in a cookie, make sure that you do not exceed the limit of the browser and/or your runtime engine (e.g., node.js). We highly recommend that you first try this change in a development environment to ensure this does not break anything for your system.
What action do you need to take?If you rely on fixed-size values, make sure to switch from fixed size to variable size for the Access Token and authorization code credentials before April 12, 2022.The Auth0 Dashboard has a toggle that allows you to disable the fixed size of these credentials to try it out. You can enable and disable this toggle at will until April 12, 2022. During this time, all already issued credentials will continue to work until they expire, regardless of the state of the toggle. At the end of the migration window, April 12, 2022, the toggle will be automatically disabled, and the Auth0 platform will exclusively issue the new variable size credentials.