[Openid-specs-fapi] Issue #123: Is it okay for request object URNs to be predictable? (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Wed Sep 13 15:34:35 UTC 2017


New issue 123: Is it okay for request object URNs to be predictable?
https://bitbucket.org/openid/fapi/issues/123/is-it-okay-for-request-object-urns-to-be

Joseph Heenan:

FAPI part 2 7.1 currently says:


```
#!markdown

Note that `request_uri` can be either URL or URN. 
If it is a URL, it shall be based on a cryptographic random value so that it is difficult to predict for an attacker.

```

This would seem to imply that if a URN is used it is okay for the URN to be predictable.

I am not 100% certain that is the case (perhaps an attacker could cause a DoS by attempting to use other people's URNs, as the URNs are meant to be one-time use? Though this probably requires at least a partial compromise of the client credentials too).




More information about the Openid-specs-fapi mailing list