[Openid-specs-mobile-profile] Issue #131: authentication request may not have limited lifetime (openid/mobile)

Joseph Heenan issues-reply at bitbucket.org
Thu Dec 13 18:23:56 UTC 2018


New issue 131: authentication request may not have limited lifetime
https://bitbucket.org/openid/mobile/issues/131/authentication-request-may-not-have

Joseph Heenan:

7.1.1. Signed Authentication Request requests the exp claim and the iat claim, but not nbf.

This means if an attacker is able to control the clock on the client (very possible in the case per-instance registered mobile apps) they may be able to generate a long lived authentication request.

I'm not entirely sure why exp is mandatory, but given the stated intent is that exp limits the validity lifetime it would seem sensible to require nbf rather than (or as well as) iat.




More information about the Openid-specs-mobile-profile mailing list