When users attempt to log in to an OIDC application, they may receive a login error. Upon examination of the URL, it may become apparent that the entire access token is not present.
- OpenID Connect
- Token Authentication
When the OIDC application is configured with grant types Implicit or Hybrid, by default, it is configured to receive tokens via the browser. When the token is part of the URL, and if the URL length exceeds the length that the browser can support, the token might get truncated. For example, in the Safari browser, if the URL length exceeds 8000 characters, the token may get truncated.
For the limits in different browsers, refer to the What Is the Maximum Length of a URL in Different Browsers article.
To resolve this issue, set the response_mode to form_post instead of the fragment in the authorization request. The following response_modes are supported:
fragmentform_postqueryokta_post_message
The response for Implicit and Hybrid modes defaults to fragment when first configured. Changing the response mode from fragment to form_post will prevent the token truncation. It is recommended to refer to the Okta API documentation for more information on supported response_modes.
