[Openid-specs-mobile-profile] Issue #150: should auth_req_id have limits on allowable characters? (openid/mobile)

Joseph Heenan issues-reply at bitbucket.org
Sat Jan 26 13:55:31 UTC 2019


New issue 150: should auth_req_id have limits on allowable characters?
https://bitbucket.org/openid/mobile/issues/150/should-auth_req_id-have-limits-on

Joseph Heenan:

I can't find anything in the spec for auth_req_id that limits it's allowable characters or maximum length.

For interoperability purposes it may be desirable to have a limited allowed character set (same as base64url allows?) and a max length (1024 for consistency with client_notification_token?).

(device_code in the OAuth 2.0 Device Flow also doesn't have any restrictions I can see, https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13#section-3.2 )




More information about the Openid-specs-mobile-profile mailing list