Skip to main content

5.2. Passing a Request Object by Reference

5.2. Passing a Request Object by Reference

The request_uri authorization request parameter enables an OAuth authorization request to be passed by reference instead of by value. Its usage is the same as the request parameter, except that the value of the Request Object is retrieved from the resource identified by the specified URI rather than being passed by value.

The entire Request URI SHOULD NOT exceed 512 ASCII characters. There are two reasons for this restriction:

  1. At the time of this writing, many phones on the market are unable to accept large payloads; the limit is typically 512 or 1024 ASCII characters.

  2. On slow connections such as 2G, large URLs cause slow responses; from a user experience perspective, they are undesirable.

Unless the URI is provided to the client by the authorization server, the content of the resource referenced by request_uri MUST be a Request Object, and the authorization server MUST be able to access it. In the first case, request_uri MUST be an https URI as defined in [RFC7230], Section 2.7.2. In the second case, it MUST be a URN as defined in [RFC8141].

The following is an example of Request Object resource content that can be referenced by request_uri (with line wraps within values for display purposes only):

eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6ICJzNkJoZF
JrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLAog
ICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAgICAiY2xpZW50X2
lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6ICJodHRwczovL2Ns
aWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAib3BlbmlkIiwKICAgIC
JzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2UiOiAibi0wUzZfV3pBMk1q
IiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VUElVaPjqW_ToI1yrEJ67BgK
b5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC0iQJwXu5YVY-vnW0_PLJb1C2
HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKzuKzqSb1wAZALo5f89B_p6QA6j6
JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3EYLYaCb4ik4I1zGXE4fvim9FIMs8O
CMmzwIB5S-ujFfzwFjoyuPEV4hJnoVUmXR_W9typPf846lGwA8h9G9oNTIuX8Ft2jf
pnZdFmLg3_wr3Wa5q3a-lfbgF3S9H_8nN3j1i7tLR_5Nz-g

See 5.2.1. URI Referencing the Request Object, 5.2.2. Request Using the "request_uri" Request Parameter, and 5.2.3. Authorization Server Fetches Request Object.

Last updated on