-
assigned issue to
- changed status to open
Basic, Messages, Standard - Use of state with implicit flow seems odd
Issue #303
resolved
The use of state for the implicit flow seems really odd. I thought the whole point of the implicit flow was that all the logic was in the browser and none of it was in the server? But the whole point of the state value was to prevent browser based attacks. But an implicit flow by definition is fully vulnerable to browser based attacks, so what’s the point of having state on an implicit request?
Comments (2)
-
-
reporter - changed status to resolved
Fix
#303Basic, Messages, Standard - Use of state with implicit flow seems odd - Log in to comment
"serves as a protection against XSRF attacks" -> "It may serves as a protection against XSRF attacks and other purposes."