Add requirement for Client to verify state matches session

Issue #205 resolved
Dave Tonge created an issue

We discussed on the call that we probably need to add a clause that explicitly requires the client to verify the state it has received in the authorization response. While this is mentioned in the core specs, it should be emphasised in FAPI as a failure for a client to do this would make the client open to a "Cross-browser Payment Initiation Attack" for payment apis.

We discussed that this clause should reference the security BCP

Comments (6)

  1. Joseph Heenan

    https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse says:

    state

    OAuth 2.0 state value. REQUIRED if the state parameter is present in the Authorization Request. Clients MUST verify that the state value is equal to the value of state parameter in the Authorization Request.

    I think given the 'MUST' in that text there may not be a need for a new clause unless we want to be more specific.

    Nevertheless at least some implementation notes and/or a reference to https://tools.ietf.org/html/draft-ietf-oauth-security-topics-11#section-2.1 seems like a good plan.

  2. Dave Tonge reporter

    Looking at this again, the fact that we require PKCE in part 1 I think is enough?

    Part 2 has detached signatures.

    But its been a while since we looked at this, so it would be good to get another opinion.

  3. Log in to comment