[Openid-specs-fapi] Discussions on size limits for OpenID protocol parameters
Joseph Heenan
joseph at authlete.com
Tue Oct 7 15:21:00 UTC 2025
Hi Mike
You can see some of the discussion (and links to further discussion) here: https://bitbucket.org/openid/fapi/issues/674/length-of-nonce-tested-in-op-conformance
There are some hard limits enforced in the FAPI certification tests for both state and nonce, e.g. a 64 character nonce is required to be accepted by the OP (and I think we warn (but not fail) if the RP uses over 64 characters in nonce).
Joseph
> On 3 Oct 2025, at 18:56, Michael Jones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
>
> There’s a request in OpenID Connect to define size limits for some parameters athttps://bitbucket.org/openid/connect/issues/2183/openid-connect-session-management-10-and.
>
> Anecdotally, I’m told that FAPI discussed adding size limits and decided not to do so.
>
> Indeed, there is one counterexample at https://openid.net/specs/fapi-security-profile-2_0.html#section-5.3.2.2-6 where the spec says that a parameter may be large but doesn’t try to limit its size.
> NOTE 4: In this document the state parameter is not used for CSRF protection, but may be used to by the client for application state. In circumstances where clients encode application state in a JWT the length of the state parameter value could be in excess of 1000 characters.
>
> Can any of you find references to Bitbucket issues in which the possibility of adding size limits for FAPI parameters was discussed?
>
> Thanks,
> -- Mike
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20251007/1c5549c3/attachment.htm>
More information about the Openid-specs-fapi
mailing list