"non monotonically increasing" does not cover all cases

Issue #64 resolved
Nat Sakimura created an issue

Currently, it states:

shall provide opaque, non-monotonically increasing 
or non-guessable access tokens with a minimum of 128 bits 
as defined in section 5.1.4.2.2 of [RFC6819]

Since non-monotonically decreasing is equally bad, this statement is inaccurate. It should just say:

shall provide opaque and non-guessable access tokens 
with a minimum of 128 bits 
as defined in section 5.1.4.2.2 of [RFC6819]

Comments (2)

  1. Nat Sakimura reporter
    • changed status to open

    Discussed in the call.

    Agreed on the text.

    Axel pointed out that it may sound imposing some structure to access token. A note should be put there to clarify that this is a minimum requirements for the access tokens for this profile and as long as the token satisfies this property, it is ok to use any kind of structure including but not limited to JWT.

  2. Log in to comment