Maybe we could add a "reminder" line like: The client SHOULD consider
browser URL length limits when creating the state parameter and leave
sufficient buffer for the AS to attach additional parameters to the
redirect_uri.
Emelia, another possibility for you is to recommend clients to use POST,
and
There is AFAIK still no limit specified in HTTP itself on the maximum
header length, but individual servers (e.g. nginx) usually set their own
server-specific limits (8k seems common, and is what nginx does):
http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
T
> Is there anything I've missed here?
No, there is no upper limit defined. You can generally expect random values
as well as larger JSON objects, even JWTs (e.g. as per
https://datatracker.ietf.org/doc/html/draft-bradley-oauth-jwt-encoded-state-09
).
S pozdravem,
*Filip Skokan*
On Mon, 24 Feb 2
Hi all,
I've looked through both the OAuth 2 and Current Security Best Practices
documents, and no where does it seem to mention a max-length for the
user-supplied "state" parameter for use in authorization code grant flows.
Should the server implement a maximum length? Is the server allowed to
