Skip to main content

4. String Operations

Processing some OAuth 2.0 messages requires comparing values in the message to known values. For example, the member names in a metadata response might be compared to specific member name values, such as "issuer". However, comparisons of Unicode [UNICODE] strings have significant security implications.

Therefore, comparisons between JSON strings and other Unicode strings MUST be performed as specified below:

  1. Remove any escape sequences applied by JSON to produce an array of Unicode code points.

  2. Unicode Normalization [USA15] MUST NOT be applied to the JSON string or the string to which it is compared at any point.

  3. Comparisons between the two strings MUST be performed as a Unicode code-point-to-code-point equality comparison.

Note that this is the same equality comparison process as described in Section 8.3 of [RFC8259].

Last updated on