I would suggest that if an AS were to implement to competing specifications for
what a client_id means, then it'd be up to the implementor to decide what is
used when. E.g., it'd be difficult to support both OpenID Federation and this
I-D simultaneously without some degree of work on the impleme
Hi all,
I've looked through both the OAuth 2 and Current Security Best Practices
documents, and no where does it seem to mention a max-length for the
user-supplied "state" parameter for use in authorization code grant flows.
Should the server implement a maximum length? Is the server allowed to
