You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Under section 5.3.1. “Auth Session” spec mentions;
The auth_session value is completely opaque to the client, and as
such the authorization server MUST adequately protect the value from
inspection by the client, for example by using a random string or
using a JWE if the authorization server is not maintaining state on
the backend.
I think the intention behind mandating to maintain the opaqueness is to protect any sensitive information. Depending on the AS implementation it could decide on using an auth_session value which is not opaque but also does not contain any sensitive data. I think it would be better to recommend that the AS uses adequate measures such as encryption in the event they are using something other than an opaque value that contains sensitive data. The current mandating will put an unnecessary burden on the AS to encrypt and decrypt data if it doesn’t contain sensitive information.
The text was updated successfully, but these errors were encountered:
Under section 5.3.1. “Auth Session” spec mentions;
I think the intention behind mandating to maintain the opaqueness is to protect any sensitive information. Depending on the AS implementation it could decide on using an auth_session value which is not opaque but also does not contain any sensitive data. I think it would be better to recommend that the AS uses adequate measures such as encryption in the event they are using something other than an opaque value that contains sensitive data. The current mandating will put an unnecessary burden on the AS to encrypt and decrypt data if it doesn’t contain sensitive information.
The text was updated successfully, but these errors were encountered: