[Openid-specs-mobile-profile] Issue #134: does "auth_req_id" need to be unpredictable? (openid/mobile)

Joseph Heenan issues-reply at bitbucket.org
Fri Dec 14 11:52:06 UTC 2018

New issue 134: does "auth_req_id" need to be unpredictable?

Joseph Heenan:

The requirements on auth_req_id aren't fully mentioned that I can seen.

The non-normative examples use a uuid like value, but that is presumably not required.

Naive implementations might use a simple incrementing int, if doing so would introduce security concerns we should probably suggest a minimum amount of entropy or similar as is done for tokens.

More information about the Openid-specs-mobile-profile mailing list