JWT stored in Cookie limits JWT length to 4kb

[mattsuid]

When any ID token or user info endpoint call results in data greater than 4kb the cookie storage fails. This limits the authorization and identity data that can be relayed by the authorization server to the client arbitrarily.

[gabrielfalcao]

As a solution, flask-oidc could support storing the JWT within the flask-session instead of a cookie. The Section 3.1.2.3 of OpenID Connect Core 1.0 Specification states that "The methods used by the Authorization Server to Authenticate the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification."

Flask-OIDC stores the JWT in the cookies, but could simply use server-side session to allow storage of JWTs without the length limitation of HTTP Headers