Increase max payload length to 128000 bytes#93
Increase max payload length to 128000 bytes#93steverweber wants to merge 1 commit intoauthlib:mainfrom
Conversation
some organizations have large jwt claims that have been in the 32k range.
There was a problem hiding this comment.
Pull request overview
This PR increases the default maximum allowed JWS payload segment length in the RFC7515 registry to support larger JWT/JWS claims (per issue #92) without triggering ExceededSizeError during deserialization.
Changes:
- Bump
JWSRegistry.max_payload_lengthfrom 8000 bytes to 128000 bytes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #: max payload content's size in bytes | ||
| max_payload_length: int = 8000 | ||
| max_payload_length: int = 128000 |
There was a problem hiding this comment.
Raising the default max_payload_length to 128000 changes JWS size-validation behavior and breaks existing unit tests that currently expect an ExceededSizeError for ~13KB base64url payload segments (e.g. tests/jws/test_compact.py::test_payload_exceeded_size_error uses a 10,000-byte payload before encoding). Please update the test vectors to exceed the new limit (ideally derived from registry.max_payload_length to avoid future drift).
| max_header_length: int = 512 | ||
| #: max payload content's size in bytes | ||
| max_payload_length: int = 8000 | ||
| max_payload_length: int = 128000 |
There was a problem hiding this comment.
128000 is a bit ambiguous (decimal KB vs KiB). Elsewhere the codebase uses * 1024 or powers of two for byte-size limits (e.g. JWE ciphertext limit is 65536 # 64KB). Consider expressing this as 128 * 1024 (131072) or adding an inline comment clarifying that the intent is exactly 128000 bytes.
| max_payload_length: int = 128000 | |
| max_payload_length: int = 128000 # exactly 128000 bytes |
solve #92
some organizations have large jwt claims that have been in the 32k range.
I feel 128k is safe and unlikely to be hit unless something is very wrong on the auth provider end.