There is AFAIK still no limit specified in HTTP itself on the maximum
header length, but individual servers (e.g. nginx) usually set their own
server-specific limits (8k seems common, and is what nginx does):
http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
Those limits can be increased, but you might want to ensure that server
memory and storage can securely and performantly handle any resulting
per-request resource usage increases.
Regards, John
El 02/24/25 a las 12:50, Emelia S. escribió:
Hi all,
I've looked through both the OAuth 2 and Current Security Best
Practices documents, and no where does it seem to mention a max-
length for the user-supplied "state" parameter for use in
authorization code grant flows. Should the server implement a
maximum length? Is the server allowed to set a maximum allowable
length for the state parameter?
The issue we're seeing is that some clients are encoding large json
values in the state parameter (which feels wrong, but is technically
allowable), and this causes an error with nginx and other software
where the resulting Location header is too large, causing a 502
error.
See: - https://github.com/mastodon/mastodon/issues/12915 - https://
github.com/doorkeeper-gem/doorkeeper/issues/1554
The ABNF for `state` is just: state = 1*VSCHAR — there is no mention
of an upper limit, per https://www.rfc-editor.org/rfc/
rfc6749.html#appendix-A.5
Is there anything I've missed here?
Yours, Emelia
_______________________________________________ OAuth mailing list
-- oauth@ietf.org To unsubscribe send an email to oauth-
le...@ietf.org
--
Independent Security Architect
t: +1.413.645.4169
e: stable.pseudo...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
