Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[JWT] MaximumTokenSizeInBytes usage is surprising

See original GitHub issue

I have a well-formed JWS : [base64url-encoded header].[base64url-encoded payload].[base64url-encoded signature]. This token is about 1.7MB in its compact serialization form. When I try to validate this token, I have an error IDX12709 saying that my token is malformed and should a JWE or a JWE… The error message is not very useful. When I look at the source code, I see many usage of the same error message :

The token has 2 ‘.’ but does not match the JWS regex
The token has 4 ‘.’ but does not match the JWE regex
The token has something else than 2 or 4 ‘.’
The token cannot be read:
- The token is empty
- The token length * 2 > MaximumTokenSizeInBytes
- Others validations already done previously

My token length is 1.7MB: token.length (1.7MB) * 2 > MaximumTokenSizeInBytes (2MB) == True

I found my problem! MaximumTokenSizeInBytes should be renamed HalfMaximumTokenSizeInBytes and the workaround is just to double this value. 🙄

This is strange because there is an error for the token too big (IDX10209) but this error is raised when token length >MaximumTokenSizeInBytes

My points are:

The error message is unclear
Two validations for the same data (token.length) with the same parameter (MaximumTokenSizeInBytes) produce two different behaviours
I expect that my token length can be of 2MB if I set the maximum to 2MB