[Openid-specs-risc] openid/sharedsignals: New Issue opened
github at oidf.org
github at oidf.org
Mon Jan 27 09:10:36 UTC 2025
openid/sharedsignals event
Issue opened
Issue Title: Restrict stream_id Character Set for URL Parameter Compatibility
https://github.com/openid/sharedsignals/issues/229
The current specification draft for the Shared Signals Framework defines [`stream_id`](https://openid.net/specs/openid-sharedsignals-framework-1_0.html#section-7.1.1-2) as follows: ``` stream_id Transmitter-Supplied, REQUIRED. A string that uniquely identifies the stream. A Transmitter MUST generate a unique ID for each of its non-deleted streams at the time of stream creation. ``` Since `stream_id` is intended to be used as a URL parameter, it is important to ensure that the character set is restricted to those that are safe for use in URLs. Without such a restriction, there is potential for issues with URL encoding/decoding or interoperability across systems. # Proposed Change Add the following normative language to the specification: ``` The `stream_id` value MUST be limited to characters that are safe for use in URL parameters as defined in [RFC3986](https://www.rfc-editor.org/rfc/rfc3986). Specifically, `stream_id` MUST conform to the "unreserved" character set defined in [Section 2.3 of RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-2.3), which includes alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), period (.), underscore (_), and tilde (~). A Transmitter MUST validate that all `stream_id` values conform to this character set. ``` This addition ensures that stream_id is URL-safe and can be used reliably as a URL parameter without requiring additional encoding or risk of invalid characters.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250127/ed1b2e5b/attachment.htm>
More information about the Openid-specs-risc
mailing list