I agree it's important but it belong in security considerations or
perhaps somewhere in the definition of the Authorization Code itself?
Either way here's some text that could be used as a starting point. I
borrowed heavily from concepts and language in SAML regarding
artifacts and IDs which bear many similarities (artifacts especially)
to authorization codes.
The Authorization Code value MUST be constructed from
a cryptographically strong random or pseudo-random number
sequence [RFC1750] generated by the Authorization Server.
The probability of any two Authorization Code values being
identical MUST be less than or equal to 2^(-128) and SHOULD
be less than or equal to 2^(-160).
Also perhaps there should be a suggestion or requirement on the
maximum size of the code as well?
-Brian
On Thu, Jul 15, 2010 at 1:23 AM, Igor Faynberg
<igor.faynb...@alcatel-lucent.com> wrote:
> An important point, which I think should be captured in the security
> consideration section.
>
> Igor
>
> Torsten Lodderstedt wrote:
>>
>> what about guessing/brute force attacks on the code? Supposed an
>> authorization server issuing tokens for a client w/o secret. Then the number
>> of attempts needed to obtain a token issued to that client only depends on
>> the length and randomness of the code. Should the spec state something about
>> that?
>>
>> regards,
>> Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
