ORA-12899 because OpenID access token is too large
Written By
István Gergely-Tárnoki
How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!
While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.
Legacy Article
You are viewing an article from our legacy "FastTrack"
publication program, made available for informational purposes. Articles
in this program were published without a requirement for independent
editing or verification and are provided"as is" without
guarantee.
Before using any information from this article, independently verify its
suitability for your situation and project.
Issue
- We store several things in our OpenID access token and when a user tries to log in, it fails because the token size exceeds the 3000-character limit specified in the ACCESSTOKEN column of the OPENIDCONNECTSESSION table
Environment
- Liferay DXP 7.2+
- Oracle database
Resolution
- The character limits were set taking industry standards into consideration. For example, the idToken column has a varchar(3999) size limit set because it is the maximum varchar size in the Liferay service builder. If the size passes beyond 3999, it becomes text or blob type which slows down the entry lookup.
- The limit is going to be a function of HTTP headers supported by the various HTTP sub-systems like proxies, tomcat, nginx, and so on. There is no maximum size defined by specification, however, the average industry size is 8KB. Note that that is for the total size of the header. Now you have to leave room for the various fields/signatures/hashing stored in a compliant OIDC (JWT) token and this leaves on average about 4KB of leftover space to play with. If the token's size is 7KB, that is almost the full header size.
-
These tokens are only limited in size by the HTTP header, and OAuth and OIDC specifications do not regulate the size. OIDC tokens are shared using HTTP headers, so it needs to be ensured that the infrastructure can support the size, and having a fixed limit ensures that the entire infrastructure will not fail.
- Therefore it's a necessary limitation from Liferay's side, and we recommend reducing the token size to make the 3KB limit.
Did this article resolve your issue ?