[Openid-specs-fapi] Issue #674: length of nonce tested in OP conformance tests (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Mon Feb 12 10:39:45 UTC 2024
New issue 674: length of nonce tested in OP conformance tests
https://bitbucket.org/openid/fapi/issues/674/length-of-nonce-tested-in-op-conformance
Joseph Heenan:
The OP tests for FAPI1/FAPI2 currently require OPs to support a 10 character nonce, and to either correctly process or reject with an error a 384 character state.
The certification team identified that more than one certified clients use nonces up to 43 characters in length, hence we would like to require that OPs support 43 character nonces and seek the working groups approval to do so.
By way of background:
We currently warn \(but don’t fail\) RPs if they use over 43 character nonces, so the suggested change would introduce a consistency between the OP & RP tests.
[https://gitlab.com/openid/conformance-suite/-/issues/1217](https://gitlab.com/openid/conformance-suite/-/issues/1217) has the data about lengths we’ve seen in certified clients
[https://gitlab.com/openid/conformance-suite/-/issues/1307](https://gitlab.com/openid/conformance-suite/-/issues/1307) tracks adding a check for 43 character nonces
\(There’s unfortunately a long history of discussions in this area with no real conclusion being reached, e.g. [https://bitbucket.org/openid/connect/issues/1055/limits-on-overall-url-length](https://bitbucket.org/openid/connect/issues/1055/limits-on-overall-url-length) and the issues linked from it.\)
More information about the Openid-specs-fapi
mailing list