does "auth_req_id" need to be unpredictable?

Issue #134 resolved
Joseph Heenan created an issue

The requirements on auth_req_id aren't fully mentioned that I can seen.

The non-normative examples use a uuid like value, but that is presumably not required.

Naive implementations might use a simple incrementing int, if doing so would introduce security concerns we should probably suggest a minimum amount of entropy or similar as is done for tokens.

Comments (5)

  1. Joseph Heenan reporter

    I also don't see a stated upper limit on the length of auth_req_id; if that's intended it may be worth stating explicitly that the length is not limited to aid interoperability.

  2. Dave Tonge

    So Joseph and I discussed this. Making this stricter will be helpful for conformance tests even if it doesn't add that much security wise. I propose adding:

    REQUIRED. This is a unique identifier to identify the authentication request made by the Client. It SHOULD contain sufficient entropy (at least 128 bits) or be otherwise protected such as to make brute force guessing computationally infeasible.

  3. Log in to comment