<div dir="ltr">Just chimed in on the thread. <div><br></div><div>For the query parameter length, we should look at the request_uri. </div><div>For the database limit that some implementations has for state etc., well... what would be a sensible limit? </div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Nov 1, 2018 at 12:20 AM Joseph Heenan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">New issue 1055: Limits on overall url length<br>
<a href="https://bitbucket.org/openid/connect/issues/1055/limits-on-overall-url-length" rel="noreferrer" target="_blank">https://bitbucket.org/openid/connect/issues/1055/limits-on-overall-url-length</a><br>
<br>
Joseph Heenan:<br>
<br>
As discussed on <a href="https://github.com/openid-certification/oidctest/issues/134" rel="noreferrer" target="_blank">https://github.com/openid-certification/oidctest/issues/134</a> there are interoperability issues associated with some fields being overly long, in particular with the state & nonce fields where the spec does not limit the size of values supplied by the RP.<br>
<br>
The core spec should probably give some guidance on lengths.<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div></div>