11.2.1. Request Disclosure

11.2.1. Request Disclosure

This specification allows extension parameters. These may include potentially sensitive information. Since URI query parameters may leak through various means but most notably through referrer and browser history, if the authorization request contains a potentially sensitive parameter, the client SHOULD encrypt the Request Object using JWE [RFC7516].

Where the Request Object URI method is being used, if the Request Object contains personally identifiable or sensitive information, the request_uri SHOULD be used only once and have a short validity period, and it MUST have sufficient entropy for the applicable security policies unless the Request Object itself is encrypted using JWE [RFC7516]. The adequate shortness of the validity and the entropy of the Request Object URI depends on the risk calculation based on the value of the resource being protected. A general guidance for the validity time would be less than a minute, and the Request Object URI is to include a cryptographic random value of 128 bits or more at the time of the writing of this specification.