Today I learned that Twitter / X has a 500 character limit in its OAuth state

Twitter (X) OAuth state limit

When implementing the OAuth flow for Twitter / X on Postier.app, I was getting an error saying "Vous n'avez pas pu autoriser l'accès à l'application. Revenez en arrière et réessayez de vous connecter."

The error by itself was not very helpful, so I started to investigate. I tried everything: are the scopes correct? Is the API endpoint I'm pinging correct? Did I configure the callback URLs correctly in their dashboard?

After some time, I started messing with the state parameter. By providing a simple "test" string, the error disappeared and I got the OAuth page as expected.

So I narrowed down the issue to the state parameter. By looking at the state I had, it was very long (700+ characters) so I naturally thought (for some reason) I was reaching a sort of limit of characters in the URL itself, but I was far from it.

By searching a bit, I found this post in their forum: https://devcommunity.x.com/t/why-is-there-a-state-paramter-limit-for-oauth2-authorization-requests/164824/2

It seems the limit is 500 characters.

So I've reduced the amount of data I was encoding in the state parameter and the error disappeared.