Purpose in claims request should be limited to only contain allowed characters

Issue #1150 closed
Roland Hedberg created an issue

In OIDC error_description is limited to “Human-readable ASCII encoded text description of the error.”.

RFC6749 it’s even more restricted: “Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.”

Something similar should be applied to purpose in claims requests as described in section 5.1 since it's expected to be shown to users.

Comments (8)

  1. Vladimir Dzhuvinov

    The purpose parameter will need to support i18n, otherwise we’re going to have a major usability problem with the spec.

    AFAIK OAuth 2.0 doesn’t restrict request params in the way it does error_description.

  2. Daniel Fett

    Agree with Vladimir.

    @Roland Hedberg - none of the things in such a string can be evil in themselves. They may be evil in the context of HTML, JS, SQL, LDAP, or whatever. That’s why there must be escaping before they are put into a different context. But we just cannot decide what is evil and what is not.

  3. Log in to comment