[Openid-specs-fapi] Issue #132: Requirement on token lengths may less than core OAuth requires (openid/fapi)
issues-reply at bitbucket.org
Thu Feb 1 11:27:55 UTC 2018
New issue 132: Requirement on token lengths may less than core OAuth requires
FAPI Part one says:
> [the AS] shall provide opaque non-guessable access tokens with a minimum of 128 bits as defined in section 18.104.22.168.2 of [RFC6819].
whereas https://tools.ietf.org/html/rfc6749#section-10.10 says :
> The authorization server MUST prevent attackers from guessing access tokens, authorization codes, refresh tokens, resource owner passwords, and client credentials.
> The probability of an attacker guessing generated tokens (and other credentials not intended for handling by end-users) MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160).
To me, that makes the requirement in FAPI too weak. 128 bits of length (where the token is only using ASCII) is less than 112 bits of entropy.
We'd need to be insisting on something over 182 bits to come anywhere close to meeting that 'SHOULD' I believe?
More information about the Openid-specs-fapi