Is it okay for request object URNs to be predictable?

Issue #123 closed
Joseph Heenan created an issue

FAPI part 2 7.1 currently says:

Note that `request_uri` can be either URL or URN. 
If it is a URL, it shall be based on a cryptographic random value so that it is difficult to predict for an attacker.

This would seem to imply that if a URN is used it is okay for the URN to be predictable.

I am not 100% certain that is the case (perhaps an attacker could cause a DoS by attempting to use other people's URNs, as the URNs are meant to be one-time use? Though this probably requires at least a partial compromise of the client credentials too).

Comments (3)

  1. Dave Tonge

    I think the wording should be tightened such that whether the redirect_uri is a url or urn it is based on a cryptographic random value.

  2. Edmund Jay

    Part 2: Tidy up wording around request object

    request object URLs /and/ URNs should be cryptographicly random.

    It also seems unsuitable to have a 'shall' clause within the introduction, so the requirement is moved to the 'response' section.

    I also took this opportunity to number the clauses as per other sections, so they're easier to refer to in external documents etc.

    closes #123

    → <<cset 3dc41078ab7c>>

  3. Log in to comment