I agree it's important but it belong in security considerations or
perhaps somewhere in the definition of the Authorization Code itself?
Either way here's some text that could be used as a starting point. I
borrowed heavily from concepts and language in SAML regarding
artifacts and IDs which bear
sounds really good.
+1 for adding this to the authorization code's specification.
Am 15.07.2010 16:22, schrieb Brian Campbell:
I agree it's important but it belong in security considerations or
perhaps somewhere in the definition of the Authorization Code itself?
Either way here's some text th
On Thu, Jul 15, 2010 at 7:22 AM, Brian Campbell
wrote:
> The Authorization Code value MUST be constructed from
> a cryptographically strong random or pseudo-random number
> sequence [RFC1750] generated by the Authorization Server.
> The probability of any two Authorization Code values
As written it probably does preclude that but I'm sure we could
massage it to be more flexible while still keeping the intent that the
code isn't something that can be easily guessed or is likely to
collide.
I must admit to never having considered the authz code as anything but
a random string as
On Thu, Jul 15, 2010 at 2:16 PM, Brian Campbell
wrote:
> I must admit to never having considered the authz code as anything but
> a random string as a reference that must be resolved. Can you expand
> on your thinking a bit, if only to enlighten me?
>
> Are you thinking of embedding what would be
Okay, I'm with you. Some text guiding the more obvious (to me anyway)
usage might still be useful. Something like,
"If Authorization Code value is a reference to state on the server,
the value MUST/SHOULD be constructed from a cryptographically strong
random or pseudo-random number sequence [RF
No normative language needed. Security consideration is the right approach.
EHL
On Jul 15, 2010, at 19:05, "Brian Campbell" wrote:
> Okay, I'm with you. Some text guiding the more obvious (to me anyway)
> usage might still be useful. Something like,
>
> "If Authorization Code value is a
On Thu, Jul 15, 2010 at 4:04 PM, Brian Campbell
wrote:
> I'm guessing you don't want any language restricting the length of the
> code? Though there is some practical limit due to the URL length in
> the 302 (I think it has to be a redirect).
There are certain practical limits, but I think there
On Thu, Jul 15, 2010 at 5:36 PM, Brian Eaton wrote:
> There are certain practical limits, but I think there is still blood
> on the specification from the last time normative language was
> discussed.
That must have been been before my time - sorry for bringing it up
again. We can put those skel