I’ve also been trying to find this. I’d say – try and ensure it’s below 7kb. Whilst JWT defines no upper limit in the spec (http://www.rfc-editor.org/rfc/rfc7519.txt) we do have some operational limits. As a JWT is included in a HTTP header, we’ve an upper limit (SO: Maximum on http header values) of 8K on the … Read more
RFC 7519 states that the exp and iat claim values must be NumericDate values. NumericDate is the last definition in Section 2. Terminology, and is defined as the number of seconds (not milliseconds) since Epoch: A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. … Read more
Both choices refer to what algorithm the identity provider uses to sign the JWT. Signing is a cryptographic operation that generates a “signature” (part of the JWT) that the recipient of the token can validate to ensure that the token has not been tampered with. RS256 (RSA Signature with SHA-256) is an asymmetric algorithm, and … Read more