lower limit on request_uri lifetime in FAPI2 may be too short
FAPI2SP says:
shall issue pushed authorization requests
request_uri
withexpires_in
values of between 5 and 600 seconds.
I’m dubious about the 5 seconds here. It seems short enough that it’s going to result in authorization redirects failing on devices with workable-but-not-ideal mobile network connections. I think it may also be possible that on some older Android devices user interaction is required to select an app/browser in some cases.
Comments (6)
-
reporter -
reporter PR: https://bitbucket.org/openid/fapi/pull-requests/379/fapi2sp-rework-lower-limit-on-request_uri
I read the relevant section of OWASP (which seems to be the bit about session timeouts in high-risk apps) but I’m not sure referencing it obviously helped so I didn’t include it.
-
reporter -
assigned issue to
-
assigned issue to
-
- changed status to open
We now have a PR. Waiting it to be merged.
-
- changed status to resolved
-
- changed component to FAPI2: Security Profile
- Log in to comment
Discussed on today’s call - it seems reasonable to increase the lower limit to 30 seconds and add a note pointing out that the value may need to be carefully thought about depending on if slow networks are involved in typical use cases.
Further discussion suggested aligning with OWASP’s 2-5 minutes guidelines for timeouts as a recommendation ('should').