[Openid-specs-fapi] Issue #345: it's okay if a refresh token can be guessed? (openid/fapi)
issues-reply at bitbucket.org
Wed Nov 18 21:34:57 UTC 2020
New issue 345: it's okay if a refresh token can be guessed?
Baseline has "Access tokens shall be non-guessable with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^\(-160\) as per \[@!RFC6749\] section 10.10."
Should ATs be the only artifact for which we give such requirements? There are also refresh tokens, authorization codes, request\_uri values from PAR, and maybe other stuff I'm forgetting.
More information about the Openid-specs-fapi