Purpose in claims request should be limited to only contain allowed characters

Issue #1150 closed

Roland Hedberg created an issue 2020-01-16

In OIDC error_description is limited to “Human-readable ASCII encoded text description of the error.”.

RFC6749 it’s even more restricted: “Values for the "error_description" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.”

Something similar should be applied to purpose in claims requests as described in section 5.1 since it's expected to be shown to users.

‌

Comments (8)

Vladimir Dzhuvinov
The purpose parameter will need to support i18n, otherwise we’re going to have a major usability problem with the spec.

AFAIK OAuth 2.0 doesn’t restrict request params in the way it does error_description.
- 2020-01-18T11:51:45+00:00
Roland Hedberg reporter
The purpose of purpose is to been shown to the user. Anything that is supposed to be sent to the user must not contain evil things. I have seen the note in https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID1.html#rfc.section.8 I’m just wondering whether it’s enough.
- 2020-01-18T13:14:35+00:00
Torsten Lodderstedt
- changed milestone to Implementer's Draft 2
- 2020-02-18T09:45:58+00:00
Daniel Fett
Agree with Vladimir.

@Roland Hedberg - none of the things in such a string can be evil in themselves. They may be evil in the context of HTML, JS, SQL, LDAP, or whatever. That’s why there must be escaping before they are put into a different context. But we just cannot decide what is evil and what is not.
- 2020-02-19T15:29:42+00:00
Torsten Lodderstedt
- removed milestone
- 2020-02-19T16:45:20+00:00
Torsten Lodderstedt
@Roland Hedberg may I close this ticket?
- 2020-03-10T07:56:15+00:00
Roland Hedberg reporter
You do that !
- 2020-03-10T07:58:37+00:00
Torsten Lodderstedt
- changed status to closed
- 2020-03-10T08:10:47+00:00
Log in to comment

Assignee: –

Type: proposal

Priority: major

Status: closed

Component: –

Milestone: –

Votes: 0

Watchers: 3