Part 1 client requirements for state/nonce aren't reflected as authorization server requirements
Issue #187
closed
Part 1 requires clients send nonce (if requested openid in scope) and state otherwise.
I am thinking that there should be a clause in the authorization server section that means the server requires state/nonce as appropriate and rejects requests without them.
Comments (10)
-
-
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
reporter -
- changed status to closed
FAPI-R: AS must require state/nonce as applicable
Currently although clients are required to send state (if not using openid) or nonce (if using openid) however the authorization server was not required to reject requests without them.
Now it is. New sections are deliberately added for the openid vs non-openid causes to avoid needing to renumber clauses if any further requirements are added to either case.
closes
#187→ <<cset 4af35fbbf9e1>>
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment
I'm surprised. state should always be required in order to implement CSRF detection. nonce could be used for that if the nonce is delivered in the frontchannel. If it is delivered via backchannel, I would prefer state since the client can earlier refuse redirect processing.