-
assigned issue to
Core - 6.2 - Softening the 512 ASCII characters restriction
Issue #986
resolved
There has been a question asked in OAuth list that why is there a 512 ASCII chars restriction in OAuth JAR (JWT Authorization Request). It is because this restriction is there in the OpenID Connect Core 1.0.
In section 6.2, it goes:
The entire Request URI MUST NOT exceed 512 ASCII characters.
The reason it is there is due to the following factors:
- WAP / feature phone consideration: they typically do not accept large payload. Some of them accepts only about 540 or so according to our survey.
- Internet Explorer 6.x etc. restriction: They supported only 1024 bytes.
- UX consideration: sending many bytes over the EDGE / 2G connection is unbearably slow.
While point 2. is virtually gone, 1. and 3. still has some points especially in the developing countries. So, I would not like this restriction to be gone, but it would be ok to soften it to SHOULD or even "recommended".
Please discuss.
Comments (2)
-
-
- changed status to resolved
Fixed
#986- Softening the 512 ASCII characters restriction→ <<cset 53a4e09e66a8>>
- Log in to comment
On the 16-Nov-15 call, it was agreed that there is no compelling reason to lengthen it as part of the errata action.
We will consider clarifying text.