[Openid-specs-fapi] Issue #345: it's okay if a refresh token can be guessed? (openid/fapi)

Brian Campbell issues-reply at bitbucket.org
Wed Nov 18 21:34:57 UTC 2020


New issue 345: it's okay if a refresh token can be guessed?
https://bitbucket.org/openid/fapi/issues/345/its-okay-if-a-refresh-token-can-be-guessed

Brian Campbell:

Baseline has "Access tokens shall be non-guessable with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^\(-160\) as per \[@!RFC6749\] section 10.10." 

Should ATs be the only artifact for which we give such requirements?  There are also refresh tokens, authorization codes, request\_uri values from PAR, and maybe other stuff I'm forgetting.




More information about the Openid-specs-fapi mailing list