Core - 6.2 - Softening the 512 ASCII characters restriction

Issue #986 resolved
Nat Sakimura created an issue

There has been a question asked in OAuth list that why is there a 512 ASCII chars restriction in OAuth JAR (JWT Authorization Request). It is because this restriction is there in the OpenID Connect Core 1.0.

In section 6.2, it goes:

The entire Request URI MUST NOT exceed 512 ASCII characters.

The reason it is there is due to the following factors:

  1. WAP / feature phone consideration: they typically do not accept large payload. Some of them accepts only about 540 or so according to our survey.
  2. Internet Explorer 6.x etc. restriction: They supported only 1024 bytes.
  3. UX consideration: sending many bytes over the EDGE / 2G connection is unbearably slow.

While point 2. is virtually gone, 1. and 3. still has some points especially in the developing countries. So, I would not like this restriction to be gone, but it would be ok to soften it to SHOULD or even "recommended".

Please discuss.

Comments (2)

  1. Michael Jones

    On the 16-Nov-15 call, it was agreed that there is no compelling reason to lengthen it as part of the errata action.

    We will consider clarifying text.

  2. Log in to comment