[Openid-specs-ab] Issue #986: Core - 6.2 - Softening the 512 ASCII characters restriction (openid/connect)
issues-reply at bitbucket.org
Wed Oct 14 09:19:21 UTC 2015
New issue 986: Core - 6.2 - Softening the 512 ASCII characters restriction
There has been a question asked in OAuth list that why is there a 512 ASCII chars restriction in OAuth JAR (JWT Authorization Request). It is because this restriction is there in the OpenID Connect Core 1.0.
In section 6.2, it goes:
The entire Request URI MUST NOT exceed 512 ASCII characters.
The reason it is there is due to the following factors:
1. WAP / feature phone consideration: they typically do not accept large payload. Some of them accepts only about 540 or so according to our survey.
1. Internet Explorer 6.x etc. restriction: They supported only 1024 bytes.
1. UX consideration: sending many bytes over the EDGE / 2G connection is unbearably slow.
While point 2. is virtually gone, 1. and 3. still has some points especially in the developing countries. So, I would not like this restriction to be gone, but it would be ok to soften it to SHOULD or even "recommended".
More information about the Openid-specs-ab