Bring access token requirements inline with RFC6749 section 10.10
Joseph Heenan
Branch: josephheenan/fapi:token-lengths
Branch: openid/fapi:master
Merged
Merged pull request
Merged in josephheenan/fapi/token-lengths (pull request #45)
Merged in josephheenan/fapi/token-lengths (pull request #45)
Our previous minimum on the length of the token appears to be much lower than RFC6749 calls for. We take the 'should' clause from RFC749, turn it into a shall (which seems reasonable given FAPI needs to be hitting the high end of any security requirement, and add a practical example to avoid misinterpretation of the requirement.
The working for the example is:
RFC6849 says probably of guess 'should' be less than 2^-160. If we assume a server that issues a million access tokens - rounded to 2^20 for convenience, this requires 180 bits of entropy. As the access token has a restricted range characters it is often base64 encoded, meaning each character (each 8 bits) can only have a maximum of 6 bits of entropy. So 180 bits of entropy requires 180/6*8 bits of access token, ie 240 bits or 30 characters.
fixes #132