IBM Security Verify

 View Only

Maximum string size for OIDC Table (EXTRA_ATTRIBUTE)

  • 1.  Maximum string size for OIDC Table (EXTRA_ATTRIBUTE)

    Posted 7 days ago
    Hi all, 

    we are providing information (Strings) like group memberships to a JWT Token / ID Token. These OIDC claims will be stored in a table named "EXTRA_ATTRIBUTE". Unfortunately there is a size limitation for this table of 256 characters and that's why there's an exception in this case coming if the provided string is larger than the maximum string length of 256 characters. Therefore no group information is provided to JWT.

    See following exception in detail:
    [1/14/22 10:22:26:141 CET] 000046a1 id=00000000 com.tivoli.am.fim.utils.jdbc.JdbcStatementUtils > setPreparedStatementParam ENTRY 1 uuid57e534b9-017e-1009-8f5a-a1f9a1f63d4f
    [1/14/22 10:22:26:141 CET] 000046a1 id=00000000 com.tivoli.am.fim.utils.jdbc.JdbcStatementUtils < setPreparedStatementParam RETURN
    [1/14/22 10:22:26:141 CET] 000046a1 id=00000000 com.tivoli.am.fim.utils.jdbc.JdbcStatementUtils > setPreparedStatementParam ENTRY 2 urn:ibm:names:ITFIM:oidc:claim:value:x-groups
    [1/14/22 10:22:26:141 CET] 000046a1 id=00000000 com.tivoli.am.fim.utils.jdbc.JdbcStatementUtils < setPreparedStatementParam RETURN
    [1/14/22 10:22:26:141 CET] 000046a1 id=00000000 com.tivoli.am.fim.utils.jdbc.JdbcStatementUtils > setPreparedStatementParam ENTRY 3 GROUP_NAME_ANALYTICSEMPLOYEE,GROUP_NAME_DISPOSITIONVIEWER,GROUP_NAME_FUNCTIONALADMINISTRATOR,GROUP_NAME_LOCATIONCONTROLLER,GROUP_NAME_LOCATIONMANAGER,GROUP_NAME_MASTERDATAMANAGER,GROUP_NAME_SPECIALIST,GROUP_NAME_TECHNICALADMINISTRATOR,GROUP_NAME_TESTDRIVER,GROUP_NAME_USER,GROUP_NAME_VALIDATOR,GROUP_NAME_WORKSHOPEMPLOYEE,GROUP_NAME_DISPOSITIONSTATIONVIEWER
    [1/14/22 10:22:26:142 CET] 000046a1 id=00000000 com.tivoli.am.fim.utils.jdbc.JdbcStatementUtils 3 execute java.sql.SQLException: ORA-12899: value too large ."OAUTH20_TOKEN_EXTRA_ATTRIBUTE"."ATTR_VALUE" (actual: 331, maximum: 256)


    Is there a way to increase the string length for this table or alternative ways for providing the necessary strings to a JWT token?
    I also saw this IBM note there. But there was no solution provided.

    Thanks in advance & best regards
    Thomas


    ------------------------------
    Thomas Renner
    ------------------------------