Remove 255 Character Limit on Tokens to Support JWT with Additional Claims

iaggocapitanio1 commented 3 months ago

Problem Description

When using django-oauth-toolkit to issue JWT tokens, the current implementation imposes a 255 character limit on token size. This restriction becomes problematic when adding additional claims to the JWT, such as user roles, permissions, or other user-specific data. For example, including a longer username or additional claims exceeds the limit, causing the application to crash.

Proposed Solution

I propose removing the 255 character limit on tokens. JWT tokens are designed to be extensible and should support a variable length to accommodate different use cases. By removing this limit, django-oauth-toolkit can offer more flexibility in issuing JWTs, making it a more robust solution for modern OAuth 2.0 applications that rely on JWT for extensive user claims.

Example Scenario

Below is an example scenario where the current token size limit is problematic:

from datetime import datetime, timedelta, timezone
import jwt
from django.conf import settings

def generate_jwt_token(request, refresh_token=None):
    user = request.user
    exp_time = datetime.now(timezone.utc) + timedelta(seconds=settings.OAUTH2_PROVIDER.get('ACCESS_TOKEN_EXPIRE', 3600))

    claim = {
        'user_id': user.id.__str__(),
        'username': user.username,
        'exp': exp_time,
    }
    token = jwt.encode(claim, settings.SECRET_KEY, algorithm='HS256')
    return token

In this scenario, if we add more items to the claim or if the username is longer, the token size can easily exceed 255 characters, leading to application failures.

Benefits

Flexibility: Allows developers to include necessary information in the JWT without worrying about hitting the size limit.
Security: Larger tokens can include more detailed claims, improving security by precisely defining access controls.
Compatibility: Ensures compatibility with standards that do not impose such limits on token size, making django-oauth-toolkit more versatile.

Conclusion

Removing the 255 character limit on tokens in django-oauth-toolkit will provide developers with the needed flexibility to use JWTs effectively in their applications. This change will make the toolkit a more adaptable and forward-looking solution for OAuth 2.0 implementations.

hugochinchilla commented 2 months ago

I totally agree with this

makeevolution commented 1 month ago

Yes please I am suffering from this too; wouldn't it be as simple as changing token field from CharField to TextField?

n2ygk commented 1 month ago

@iaggocapitanio1 Feel free to submit a PR, but see below:

@makeevolution since the Access Token is indexed for searching, converting from a CharField of limited length to a TextField blob of indeterminate length may prevent it from being indexed (e.g. with MySQL and possibly other databases) leading to significant performance degradation every time a token is searched for in oauth2_validators.

I seem to recall having a similar discussion (but can't remember where:-) about having a TextField in a model and adding another column which is a short CharField cryptographic checksum of the TextField. Then the search can use the token checksum instead of the token value. Does that make sense?

iaggocapitaniovamo commented 1 month ago

yes it makes sense, I will bring a PR ASAP

makeevolution commented 2 weeks ago

@iaggocapitanio1 perhaps you have made progress? Just wondering :)

jazzband / django-oauth-toolkit