I'm using OIDC with implicit code flow with response type "id_token token". Everything works great but noticed that callback url with access token, id_token, scope and session_state + domain name already contains 2033 characters. Project that I'm working on needs to support IE 10 and as far as I know there is a limit URL 2048 characters. I'm little afraid that length of callback url is apporaching this limit dangerously. What is suggested approach with cases like that? Could I change response type to "token" and then request user information from user info endpoint? Or maybe should I do something to reduce size of callback url, try to reduce information in access_token and id_token? Third option seems to be reference token but I'm little afraid about overhead with one extra call to STS.
In project I use oidc-client-js and IdentityServer4.
Thanks
Try to keep the token as small as possible. IOW fewer claims.
IdentityServer removes all additional claims from the identity token by default in scenarios where an access token is available (unless you override this behavior).
Reference tokens are another way of dealing with that as you said. By enabling caching in the API middleware, you can keep the overhead small.
IE is the plague.