[Openid-specs-ab] Issue #986: Core - 6.2 - Softening the 512 ASCII characters restriction (openid/connect)

Nat Sakimura issues-reply at bitbucket.org
Wed Oct 14 09:19:21 UTC 2015

New issue 986: Core - 6.2 - Softening the 512 ASCII characters restriction

Nat Sakimura:

There has been a question asked in OAuth list that why is there a 512 ASCII chars restriction in OAuth JAR (JWT Authorization Request). It is because this restriction is there in the OpenID Connect Core 1.0. 

In section 6.2, it goes: 


The entire Request URI MUST NOT exceed 512 ASCII characters.

The reason it is there is due to the following factors: 

1. WAP / feature phone consideration: they typically do not accept large payload. Some of them accepts only about 540 or so according to our survey. 
1. Internet Explorer 6.x etc. restriction: They supported only 1024 bytes. 
1. UX consideration: sending many bytes over the EDGE / 2G connection is unbearably slow. 

While point 2. is virtually gone, 1. and 3. still has some points especially in the developing countries. So, I would not like this restriction to be gone, but it would be ok to soften it to SHOULD or even "recommended". 

Please discuss. 

More information about the Openid-specs-ab mailing list