Require `state`

Issue #114 resolved
Nat Sakimura created an issue

Part 1 has the case of pure OAuth. We need state then for CSRF protection etc. Also, state is pretty much the only parameter that can be used to identify the browser instance. BCM principles[1] advises to have all the parties identified in the message so we need browser identifier in the authorization request.

[1] https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf

Comments (5)

  1. Nat Sakimura reporter
    • changed status to open

    nonce is only available when the client uses OIDC. In the case of pure OAuth, we cannot use it.

    Perhaps we can specify the following:

    • Pure OAuth: Require state
    • OIDC: state is optional.
  2. Log in to comment