does "auth_req_id" need to be unpredictable?
The requirements on auth_req_id aren't fully mentioned that I can seen.
The non-normative examples use a uuid like value, but that is presumably not required.
Naive implementations might use a simple incrementing int, if doing so would introduce security concerns we should probably suggest a minimum amount of entropy or similar as is done for tokens.
Comments (5)
-
reporter -
So Joseph and I discussed this. Making this stricter will be helpful for conformance tests even if it doesn't add that much security wise. I propose adding:
REQUIRED. This is a unique identifier to identify the authentication request made by the Client. It SHOULD contain sufficient entropy (at least 128 bits) or be otherwise protected such as to make brute force guessing computationally infeasible.
-
-
assigned issue to
- changed milestone to CIBA Implementer's Draft
-
assigned issue to
-
I've pushed this commit which contains the proposed text:
https://bitbucket.org/openid/mobile/commits/ba36f9b48c1c796c921d442b9e9d4ac501801c35
-
- changed status to resolved
LGTM, thanks guys.
- Log in to comment
I also don't see a stated upper limit on the length of auth_req_id; if that's intended it may be worth stating explicitly that the length is not limited to aid interoperability.