[Openid-specs-ab] Issue #2183: OpenID Connect Session Management 1.0 and the size limit for parameter session_state (openid/connect)
Andrii Deinega
issues-reply at bitbucket.org
Mon Aug 18 18:59:13 UTC 2025
New issue 2183: OpenID Connect Session Management 1.0 and the size limit for parameter session_state
https://bitbucket.org/openid/connect/issues/2183/openid-connect-session-management-10-and
Andrii Deinega:
[https://openid.net/specs/openid-connect-session-1\_0.html](https://openid.net/specs/openid-connect-session-1_0.html) introduces the session\_state parameter and defines it as
> JSON [\[RFC7159\]](https://openid.net/specs/openid-connect-session-1_0.html#RFC7159) string that represents the End-User's login state at the OP. It MUST NOT contain the space \(" "\) character. This value is opaque to the RP. This is REQUIRED if session management is supported.
this is also followed by this suggestion on how OPs should generate it
> The generation of suitable Session State values is specified in [Section 3.2](https://openid.net/specs/openid-connect-session-1_0.html#OPiframe), and is based on a salted cryptographic hash of Client ID, origin URL, and OP User Agent state.
which sort of implies it has the fixed size \(64 characters long\). However, my experience shows that some OPs in the wild make it a very very long string \(my guess is they issue an encrypted JWT or something\) which led to integration issues.
The suggestion is to specify some sane size limits for it.
Note that passing it as a query parameter via the front channel is limited by size constraints due its nature.
More information about the Openid-specs-ab
mailing list