CIBA: client_notification_token's length and usable characters

Issue #104 resolved
Takahiko Kawasaki created an issue

Regarding client_notification_token, it would be nice to mention its (minimum/maximum) length and usable characters (printable ASCII only or any characters).

A relevant discussion about nonce in the OpenID certification test suite is here:

Comments (6)

  1. Brian Campbell

    General agreement on the 8/23 call for client_notification_token was:

    • Add minimum entropy requirement/recommendation
    • same allowable characters as access tokens (from
    • Define a maximum length (but long enough to allow for a reasonable sized JWT to be used as the client_notification_token)
  2. Brian Campbell

    merged pull request #31 with client_notification_token: add max length, allowed characters (via RFC6750 ref), and suggested min entropy or other protections (for issue #104)

  3. Log in to comment