Originally submitted by Andrii Deinega (Andrii Deinega) on 2025-08-18
https://openid.net/specs/openid-connect-session-1_0.html introduces the session_state parameter and defines it as
JSON [RFC7159] string that represents the End-User's login state at the OP. It MUST NOT contain the space (" ") character. This value is opaque to the RP. This is REQUIRED if session management is supported.
this is also followed by this suggestion on how OPs should generate it
The generation of suitable Session State values is specified in Section 3.2, and is based on a salted cryptographic hash of Client ID, origin URL, and OP User Agent state.
which sort of implies it has the fixed size (64 characters long). However, my experience shows that some OPs in the wild make it a very very long string (my guess is they issue an encrypted JWT or something) which led to integration issues.
The suggestion is to specify some sane size limits for it.
Note that passing it as a query parameter via the front channel is limited by size constraints due its nature.
Bitbucket status: open
Bitbucket origin: issue 2183
https://openid.net/specs/openid-connect-session-1_0.html introduces the session_state parameter and defines it as
this is also followed by this suggestion on how OPs should generate it
which sort of implies it has the fixed size (64 characters long). However, my experience shows that some OPs in the wild make it a very very long string (my guess is they issue an encrypted JWT or something) which led to integration issues.
The suggestion is to specify some sane size limits for it.
Note that passing it as a query parameter via the front channel is limited by size constraints due its nature.
Bitbucket status: open
Bitbucket origin: issue 2183