openid / mobile / issues / #104 - CIBA: client_notification_token's length and usable characters — Bitbucket

Issue #104 resolved

Takahiko Kawasaki created an issue 2018-10-23

Regarding client_notification_token, it would be nice to mention its (minimum/maximum) length and usable characters (printable ASCII only or any characters).

A relevant discussion about nonce in the OpenID certification test suite is here:

https://github.com/openid-certification/oidctest/issues/134

Comments (6)

Dave Tonge
@authlete-taka what values would you suggest for min / max?
- 2018-10-23T04:51:40+00:00
Dave Tonge
- changed component to CIBA
- changed milestone to CIBA Implementer's Draft
- 2018-10-23T04:51:53+00:00
Brian Campbell
- assigned issue to
  
  Brian Campbell
- 2018-10-23T15:10:39+00:00
Brian Campbell
General agreement on the 8/23 call for client_notification_token was:
- Add minimum entropy requirement/recommendation
- same allowable characters as access tokens (from https://tools.ietf.org/html/rfc6750#section-2.1)
- Define a maximum length (but long enough to allow for a reasonable sized JWT to be used as the client_notification_token)
- 2018-10-23T15:14:18+00:00
Brian Campbell
pull request ~~#31~~ has proposed changes to address this
- 2018-10-23T16:58:17+00:00
Brian Campbell
- changed status to resolved
merged pull request ~~#31~~ with client_notification_token: add max length, allowed characters (via RFC6750 ref), and suggested min entropy or other protections (for issue ~~#104~~)
- 2018-10-26T11:59:19+00:00
Log in to comment

Assignee: Brian Campbell

Type: enhancement

Priority: minor

Status: resolved

Component: CIBA

Milestone: CIBA Implementer's Draft

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!