FAPI-R: length/entropy of authorization code / refresh token / client_secret
FAPI part 1 has specific requirements for access tokens:
shall provide opaque non-guessable access tokens with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per [RFC6749] section 10.10;
It doesn’t call out any explicit requirements I can see for refresh tokens or authorization codes, or client secrets.
Arguably https://tools.ietf.org/html/rfc6749#section-10.10 and https://tools.ietf.org/html/rfc6819#section-5.1.4.2.2 may already contains sufficient requirements, so it may be that nothing further is necessary in FAPI-R. (I’d originally missed those when implementing the conformance tests, it currently only checks access tokens, so I might not be the only one that missed them...)
Comments (9)
-
-
-
assigned issue to
-
assigned issue to
-
-
- changed status to resolved
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment