[Openid-specs-fapi] Issue #123: Is it okay for request object URNs to be predictable? (openid/fapi)
issues-reply at bitbucket.org
Wed Sep 13 15:34:35 UTC 2017
New issue 123: Is it okay for request object URNs to be predictable?
FAPI part 2 7.1 currently says:
Note that `request_uri` can be either URL or URN.
If it is a URL, it shall be based on a cryptographic random value so that it is difficult to predict for an attacker.
This would seem to imply that if a URN is used it is okay for the URN to be predictable.
I am not 100% certain that is the case (perhaps an attacker could cause a DoS by attempting to use other people's URNs, as the URNs are meant to be one-time use? Though this probably requires at least a partial compromise of the client credentials too).
More information about the Openid-specs-fapi