[Openid-specs-fapi] Discussions on size limits for OpenID protocol parameters

Rob Starling robstar at google.com
Fri Oct 3 19:00:28 UTC 2025 

Any GET request with a URL (including all query parameters) that exceeds
2kb runs the risk of hitting browser-specific or webserver-specific limits.

--Rob*


On Fri, Oct 3, 2025 at 10:56 AM Michael Jones via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> There’s a request in OpenID Connect to define size limits for some
> parameters at
> https://bitbucket.org/openid/connect/issues/2183/openid-connect-session-management-10-and
> .
>
>
>
> Anecdotally, I’m told that FAPI discussed adding size limits and decided
> not to do so.
>
>
>
> Indeed, there is one counterexample at
> https://openid.net/specs/fapi-security-profile-2_0.html#section-5.3.2.2-6
> where the spec says that a parameter may be large but doesn’t try to limit
> its size.
>
> *NOTE 4*: In this document the state parameter is not used for CSRF
> protection, but may be used to by the client for application state. In
> circumstances where clients encode application state in a JWT the length of
> the state parameter value could be in excess of 1000 characters.
>
>
>
> Can any of you find references to Bitbucket issues in which the
> possibility of adding size limits for FAPI parameters was discussed?
>
>
>
>                                                                 Thanks,
>
>                                                                 -- Mike
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20251003/f30f80cb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5279 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20251003/f30f80cb/attachment-0001.p7s>

More information about the Openid-specs-fapi mailing list