The spec states in multiple places that servers control how big authorization and other codes are so clients can't be sure how much space they will have in URIs. How can anyone design a client that is intended to work with multiple authorization servers if they have no clue how big their state can be? Are they supposed to re-write their state system every time they run into a protected resource that wants to use a bigger auth code then the client has expected them to? We have to give client developers some kind of guidance they can use to let them know what is a 'safe' size for their state so they can successfully implement with all authorization servers. Recommendation is to say something like - "we assume URIs can be at least 2Kb and that the total client provided values (e.g. the base redirect URI plus the state value) are no more than 1K."
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
