lower limit on request_uri lifetime in FAPI2 may be too short
Issue #546
resolved
FAPI2SP says:
shall issue pushed authorization requests
request_uriwithexpires_invalues of between 5 and 600 seconds.
I’m dubious about the 5 seconds here. It seems short enough that it’s going to result in authorization redirects failing on devices with workable-but-not-ideal mobile network connections. I think it may also be possible that on some older Android devices user interaction is required to select an app/browser in some cases.
Comments (6)
-
reporter
-
reporter
PR: https://bitbucket.org/openid/fapi/pull-requests/379/fapi2sp-rework-lower-limit-on-request_uri
I read the relevant section of OWASP (which seems to be the bit about session timeouts in high-risk apps) but I’m not sure referencing it obviously helped so I didn’t include it.
-
reporter
-
assigned issue to
Joseph Heenan
-
assigned issue to
-
- changed status to open
We now have a PR. Waiting it to be merged.
-
- changed status to resolved
-
- changed component to FAPI2: Security Profile
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 2
Discussed on today’s call - it seems reasonable to increase the lower limit to 30 seconds and add a note pointing out that the value may need to be carefully thought about depending on if slow networks are involved in typical use cases.
Further discussion suggested aligning with OWASP’s 2-5 minutes guidelines for timeouts as a recommendation ('should').