Enforce token_max_size

[oreoshake]

Currently, the configurable token_max_size value is not used anywhere. It should be used by a recovery provider to reject incoming tokens that are bigger than token_max_size.