2 files changed, 5 insertions, 3 deletions

diff --git a/modules/auth/oauth2/oauth2.go b/modules/auth/oauth2/oauth2.go
index 0b18afdaf7..a50c639885 100644
--- a/modules/auth/oauth2/oauth2.go
+++ b/modules/auth/oauth2/oauth2.go
@@ -5,7 +5,6 @@
 package oauth2
 
 import (
-	"math"
 	"net/http"
 
 	"code.gitea.io/gitea/modules/log"
@@ -26,7 +25,7 @@ import (
 	"github.com/markbates/goth/providers/openidConnect"
 	"github.com/markbates/goth/providers/twitter"
 	"github.com/markbates/goth/providers/yandex"
-	"github.com/satori/go.uuid"
+	uuid "github.com/satori/go.uuid"
 	"xorm.io/xorm"
 )
 
@@ -58,7 +57,7 @@ func Init(x *xorm.Engine) error {
 	// when using OpenID Connect , since this can contain a large amount of extra information in the id_token
 
 	// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
-	store.MaxLength(math.MaxInt16)
+	store.MaxLength(setting.OAuth2.MaxTokenLength)
 	gothic.Store = store
 
 	gothic.SetState = func(req *http.Request) string {
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index a18b47a7e9..069a3556da 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"math"
 	"net"
 	"net/url"
 	"os"
@@ -323,11 +324,13 @@ var (
 		InvalidateRefreshTokens    bool
 		JWTSecretBytes             []byte `ini:"-"`
 		JWTSecretBase64            string `ini:"JWT_SECRET"`
+		MaxTokenLength             int
 	}{
 		Enable:                     true,
 		AccessTokenExpirationTime:  3600,
 		RefreshTokenExpirationTime: 730,
 		InvalidateRefreshTokens:    false,
+		MaxTokenLength:             math.MaxInt16,
 	}
 
 	U2F = struct {