openid / mobile / issues / #134 - does "auth_req_id" need to be unpredictable? — Bitbucket

Issue #134 resolved

Joseph Heenan created an issue 2018-12-14

The requirements on auth_req_id aren't fully mentioned that I can seen.

The non-normative examples use a uuid like value, but that is presumably not required.

Naive implementations might use a simple incrementing int, if doing so would introduce security concerns we should probably suggest a minimum amount of entropy or similar as is done for tokens.

Comments (5)

Joseph Heenan reporter
I also don't see a stated upper limit on the length of auth_req_id; if that's intended it may be worth stating explicitly that the length is not limited to aid interoperability.
- 2018-12-14T12:06:29+00:00
Dave Tonge
So Joseph and I discussed this. Making this stricter will be helpful for conformance tests even if it doesn't add that much security wise. I propose adding:

REQUIRED. This is a unique identifier to identify the authentication request made by the Client. It SHOULD contain sufficient entropy (at least 128 bits) or be otherwise protected such as to make brute force guessing computationally infeasible.
- 2018-12-14T13:03:19+00:00
Dave Tonge
- assigned issue to
  
  Dave Tonge
- changed milestone to CIBA Implementer's Draft
- 2018-12-14T13:33:23+00:00
Dave Tonge
I've pushed this commit which contains the proposed text:

https://bitbucket.org/openid/mobile/commits/ba36f9b48c1c796c921d442b9e9d4ac501801c35
- 2018-12-14T13:33:56+00:00
Brian Campbell
- changed status to resolved
LGTM, thanks guys.
- 2018-12-14T17:34:34+00:00
Log in to comment

Assignee: Dave Tonge

Type: bug

Priority: major

Status: resolved

Component: CIBA

Milestone: CIBA Implementer's Draft

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!