Standard - 2.3.1.3. Request File URI
Bunch of problems around Request File URI.
(1) It does not have to be globally reacheable. It needs to be reachable from the Authorization Server, and maybe from the client, but does not have to be reachable from anybody else.
=> s/globally reachable/reachable from the Authorization Server/
(2) The fragment that shows the hash of the file went missing.
Currently, it states:
{{{ The Client then records the Request File either locally or remotely and obtains the Request URI, "request_uri". }}}
Proposal:
{{{ The Client then records the Request File either locally or remotely and obtains the Request URI, "request_uri". The URI MAY be appended with the SHA256 [FIPS180‑2] hash of the file after "#" so that the Authorization Server can detect whether the file has changed. "#" MUST be escaped.
It should be noted that if the Request File includes user's attribute values, it MUST NOT be revealed to anybody but the Authorization Server before the user's authentication and authorization. As such, the request_uri MUST have a larger entropy than the user authentication credential and client authentication credential. }}}
Comments (9)
-
-
-
-
assigned issue to
-
assigned issue to
-
- removed assignee
-
- changed title to Standard - 2.3.1.3. Request File URI
-
- changed status to resolved
Fixes
#379Sec 2.3.1.3.1 add hash and entropy considerations -
- changed status to new
-
- changed status to resolved
Already done by John
-
-
assigned issue to
-
assigned issue to
- Log in to comment
Are we sure that browsers won't unescape the # in the 302?
I don't have any indication that they will, but it is worth double checking.