[Openid-specs-fapi] Discussions on size limits for OpenID protocol parameters
Michael Jones
michael_b_jones at hotmail.com
Fri Oct 3 17:56:48 UTC 2025
There's a request in OpenID Connect to define size limits for some parameters at https://bitbucket.org/openid/connect/issues/2183/openid-connect-session-management-10-and.
Anecdotally, I'm told that FAPI discussed adding size limits and decided not to do so.
Indeed, there is one counterexample at https://openid.net/specs/fapi-security-profile-2_0.html#section-5.3.2.2-6 where the spec says that a parameter may be large but doesn't try to limit its size.
NOTE 4: In this document the state parameter is not used for CSRF protection, but may be used to by the client for application state. In circumstances where clients encode application state in a JWT the length of the state parameter value could be in excess of 1000 characters.
Can any of you find references to Bitbucket issues in which the possibility of adding size limits for FAPI parameters was discussed?
Thanks,
-- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20251003/b2f57e68/attachment.htm>
More information about the Openid-specs-fapi
mailing list