More generally, there are PAM authentication modules that, instead of accepting an ordinary password, accept some kind of "token". This is often the case when using single sign-on mechanisms for authentication. In the case of OpenID Connect and the PAM module pam_oidc (https://github.com/salesforce/pam_oidc), the "password" given to PAM is a JSON Web Token (JWT). The `id_token` JWTs provided by Google when using their OpenID Connect SSO mechanisms are around 1200 bytes long. `pamconversation.py` arbitrarily limits the password length to a little shy of 1024 bytes, which makes these authentication mechanisms non-usable. When this arbitrary limit is hit, you are met with the following error message in Web Access: > Internal error. If this problem persists, please contact your system administrator. with the following being logged in `/var/log/tlwebaccess.log`: > Error communicating with PAM subsystem for user 'wilsj': pamconv: received data exceeds limit
Fixing this would make it possible to add an OpenID Connect SSO authentication portal in front of Web Access without any further modifications to ThinLinc.
