Require `state`
Issue #114
resolved
Part 1 has the case of pure OAuth. We need state then for CSRF protection etc.
Also, state is pretty much the only parameter that can be used to identify the browser instance. BCM principles[1] advises to have all the parties identified in the message so we need browser identifier in the authorization request.
[1] https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf
Comments (10)
-
-
reporter
- changed status to open
nonceis only available when the client uses OIDC. In the case of pure OAuth, we cannot use it.Perhaps we can specify the following:
- Pure OAuth: Require
state - OIDC:
stateis optional.
-
reporter
Sold.
-
reporter
-
assigned issue to
Joseph Heenan
-
assigned issue to
-
reporter
- changed status to resolved
Part 1: Make state mandatory if using pure OAuth
State is the only way to achieve CSRF protection etc when not using OpenID Connect.
fixes
#114→ <<cset 4970b19ae0e3>>
-
reporter
- changed component to Part 1: Baseline
-
reporter
- changed component to FAPI 1 - Part 1: Baseline
-
reporter
- changed component to FAPI 1 – Part 1: Baseline
-
reporter
- changed component to FAPI 1 – Baseline
-
reporter
- changed component to FAPI 1: Baseline
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- FAPI 1: Baseline
- Milestone
- R3 - Nov 2017
- Votes
- 0
- Watchers
- 1
Couldn't the nonce do just as well? State can be quite large