<div dir="ltr"><div dir="ltr"><div>Any GET request with a URL (including all query parameters) that exceeds 2kb runs the risk of hitting browser-specific or webserver-specific limits.</div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><br></div>--Rob*<div><div><br></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, Oct 3, 2025 at 10:56 AM Michael Jones via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-6471296543834732869">
<div lang="EN-US" style="overflow-wrap: break-word;">
<div class="m_-6471296543834732869WordSection1">
<p class="MsoNormal"><span style="font-size:11pt">There’s a request in OpenID Connect to define size limits for some parameters at
<a href="https://bitbucket.org/openid/connect/issues/2183/openid-connect-session-management-10-and" target="_blank">
https://bitbucket.org/openid/connect/issues/2183/openid-connect-session-management-10-and</a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Anecdotally, I’m told that FAPI discussed adding size limits and decided not to do so.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Indeed, there is one counterexample at
<a href="https://openid.net/specs/fapi-security-profile-2_0.html#section-5.3.2.2-6" target="_blank">
https://openid.net/specs/fapi-security-profile-2_0.html#section-5.3.2.2-6</a> where the spec says that a parameter may be large but doesn’t try to limit its size.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0.5in"><b><span style="font-size:11pt">NOTE 4</span></b><span style="font-size:11pt">: In this document the state parameter is not used for CSRF protection, but may be used to by the client for application state. In
circumstances where clients encode application state in a JWT the length of the state parameter value could be in excess of 1000 characters.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Can any of you find references to Bitbucket issues in which the possibility of adding size limits for FAPI parameters was discussed?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</div></blockquote></div></div>