Authorization Code and Access Token Variable Size Information

Authorization

Last Updated:

Overview

This article will answer some Frequently Asked Questions (FAQs) on Authorization Code and Access Token Variable Size Deprecation notice. 

Deprecation notice:

Opaque Access Token and Authorization Code Fixed Length

Questions :

  1. What is the previous length of the Opaque Access token and what will be the new variable-length range after the deprecation?
  2. What is the previous length of the Authorization code and what will be the new variable-length range after the deprecation?

Applies To

  • Opaque Access Token
  • Authorization Code Fixed Length

Solution

Answers:

Previous Fixed Opaque token length: 32 Chars

New behavior: For a token meant to be used with the 'user info' endpoint, the customer can safely assume that the size of the token will not exceed 4096 characters. When specifying an audience, the exact content of access tokens cannot be determined beforehand (for example, scopes and claims can vary in number and size depending on circumstances), no specific guidance about size is given, and the length has always been variable.

2. What is the previous length of the Authorization code, and what will be the new variable-length range after the deprecation

Previous Fixed Code length: 16 Chars
New Behaviour: Currently, the Max is set to 45 Characters, but this is an implementation detail and can be changed. 
Our suggestion is to not rely on the size. 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community