eriklupander
commented
1 year ago This could also apply to the signature extension in case of large userNonVisibleData.
Closed martin-lindstrom closed 12 months ago
eriklupander
commented
1 year ago This could also apply to the signature extension in case of large userNonVisibleData.
peppelinux
commented
1 year ago @martin-lindstrom fully agreed
there are some cases, depending by the trust model used, that the request object must provide the X.509 certificate chain (x5c) or the OpenID Federation Trust Chain, to hint the discovery process (that would not require a graph resolution patterns but a static path to be verified with the sole TA public key and checked against any revocations). Other cases where the claims parameters are requested and also multiple ACR values.
this would made the request object more than 4KB and HTTP POST and OAuth2 PAR are the most flexible way to provide this
When a Request Object, and more specifically, a signed Request Object, is sent in an authentication request, the payload may exceed the size limit that browsers have for redirects.
Therefore, we should include a recommandation (or a should) that clients should use POST in cases when the request may become large.