Hi all, I've looked through both the OAuth 2 and Current Security Best Practices documents, and no where does it seem to mention a max-length for the user-supplied "state" parameter for use in authorization code grant flows. Should the server implement a maximum length? Is the server allowed to set a maximum allowable length for the state parameter?
The issue we're seeing is that some clients are encoding large json values in the state parameter (which feels wrong, but is technically allowable), and this causes an error with nginx and other software where the resulting Location header is too large, causing a 502 error. See: - https://github.com/mastodon/mastodon/issues/12915 - https://github.com/doorkeeper-gem/doorkeeper/issues/1554 The ABNF for `state` is just: state = 1*VSCHAR — there is no mention of an upper limit, per https://www.rfc-editor.org/rfc/rfc6749.html#appendix-A.5 Is there anything I've missed here? Yours, Emelia _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
