Require `state`
Part 1 has the case of pure OAuth. We need state
then for CSRF protection etc.
Also, state
is pretty much the only parameter that can be used to identify the browser instance. BCM principles[1] advises to have all the parties identified in the message so we need browser identifier in the authorization request.
[1] https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf
Comments (10)
-
-
reporter - changed status to open
nonce
is only available when the client uses OIDC. In the case of pure OAuth, we cannot use it.Perhaps we can specify the following:
- Pure OAuth: Require
state
- OIDC:
state
is optional.
-
reporter Sold.
-
reporter -
assigned issue to
-
assigned issue to
-
reporter - changed status to resolved
Part 1: Make state mandatory if using pure OAuth
State is the only way to achieve CSRF protection etc when not using OpenID Connect.
fixes
#114→ <<cset 4970b19ae0e3>>
-
reporter - changed component to Part 1: Baseline
-
reporter - changed component to FAPI 1 - Part 1: Baseline
-
reporter - changed component to FAPI 1 – Part 1: Baseline
-
reporter - changed component to FAPI 1 – Baseline
-
reporter - changed component to FAPI 1: Baseline
- Log in to comment
Couldn't the nonce do just as well? State can be quite large