1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

it's okay if a refresh token can be guessed?

Issue #345 resolved
Brian Campbell created an issue

Baseline has "Access tokens shall be non-guessable with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per [@!RFC6749] section 10.10."

Should ATs be the only artifact for which we give such requirements?  There are also refresh tokens, authorization codes, request_uri values from PAR, and maybe other stuff I'm forgetting.

Comments (9)

  1. Daniel Fett

    (We just hope that the attacker gets tired guessing access tokens and does not see the static authorization codes. /s)

    We have a similar clause in FAPI 1 as well. (The requirement on other types of tokens got lost somewhere on the way from FAPI 1 to 2.)

    But I wonder if we can’t omit this whole clause from both FAPI versions — after all, it refers to a requirement in RFC6749 anyway, and PAR URIs are covered in the PAR draft as well. So there is really no point here other than reminding people of existing requirements.

    Any other views on this?

  2. Joseph Heenan

    The text is subtly different to 6749 (the FAPI text clearly requires 128 bits of entropy, I find statements about “probability” to be less clear) and is more testable.

    With my certification hat on I’ve had a surprising/depressing number of non-trivial conversations about why using 8 character authorization codes is not acceptable in FAPI…

  3. Brian Campbell reporter

    While the requirements are inherited from other specs and could be omitted, it does seem like an explicit reminder is worthwhile. And I’m thinking that reminder shouldn’t single out a particular artifact type as that could potentially be read as omitting the other stuff from the requirement.

    What about something like this?

    Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) shall be created with sufficient entropy such that an attacker correctly guessing the value is computationally infeasible as per Section 10.10 of RFC6749.

  4. Daniel Fett

    @Joseph Heenan I only see the 128 bits of entropy mentioned for the client secret in FAPI 1. I agree with you that probability is not clear enough - we would need to describe many more variables (e.g., how often can an attacker guess?). What do you think about the following text?

    Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) shall be created with at least 128 bits of entropy such that an attacker correctly guessing the value is computationally infeasible. Cf. Section 10.10 of RFC6749.

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
FAPI2: Security Profile
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!