[Openid-specs-mobile-profile] Issue #134: does "auth_req_id" need to be unpredictable? (openid/mobile)
Joseph Heenan
issues-reply at bitbucket.org
Fri Dec 14 11:52:06 UTC 2018
New issue 134: does "auth_req_id" need to be unpredictable?
https://bitbucket.org/openid/mobile/issues/134/does-auth_req_id-need-to-be-unpredictable
Joseph Heenan:
The requirements on auth_req_id aren't fully mentioned that I can seen.
The non-normative examples use a uuid like value, but that is presumably not required.
Naive implementations might use a simple incrementing int, if doing so would introduce security concerns we should probably suggest a minimum amount of entropy or similar as is done for tokens.
More information about the Openid-specs-mobile-profile
mailing list