Purpose in claims request should be limited to only contain allowed characters
In OIDC error_description is limited to “Human-readable ASCII encoded text description of the error.”.
RFC6749 it’s even more restricted: “Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.”
Something similar should be applied to purpose in claims requests as described in section 5.1 since it's expected to be shown to users.
Comments (8)
-
-
reporter The purpose of purpose is to been shown to the user. Anything that is supposed to be sent to the user must not contain evil things. I have seen the note in https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID1.html#rfc.section.8 I’m just wondering whether it’s enough.
-
- changed milestone to Implementer's Draft 2
-
Agree with Vladimir.
@Roland Hedberg - none of the things in such a string can be evil in themselves. They may be evil in the context of HTML, JS, SQL, LDAP, or whatever. That’s why there must be escaping before they are put into a different context. But we just cannot decide what is evil and what is not.
-
- removed milestone
-
@Roland Hedberg may I close this ticket?
-
reporter You do that !
-
- changed status to closed
- Log in to comment
The purpose parameter will need to support i18n, otherwise we’re going to have a major usability problem with the spec.
AFAIK OAuth 2.0 doesn’t restrict request params in the way it does error_description.