- changed status to open
Add requirement for Client to verify state matches session
We discussed on the call that we probably need to add a clause that explicitly requires the client to verify the state it has received in the authorization response. While this is mentioned in the core specs, it should be emphasised in FAPI as a failure for a client to do this would make the client open to a "Cross-browser Payment Initiation Attack" for payment apis.
We discussed that this clause should reference the security BCP
Comments (9)
-
reporter -
https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse says:
state
OAuth 2.0 state value. REQUIRED if the state parameter is present in the Authorization Request. Clients MUST verify that the state value is equal to the value of state parameter in the Authorization Request.
I think given the 'MUST' in that text there may not be a need for a new clause unless we want to be more specific.
Nevertheless at least some implementation notes and/or a reference to https://tools.ietf.org/html/draft-ietf-oauth-security-topics-11#section-2.1 seems like a good plan.
-
reporter I think its worth a specific clause.
-
reporter Looking at this again, the fact that we require PKCE in part 1 I think is enough?
Part 2 has detached signatures.
But its been a while since we looked at this, so it would be good to get another opinion.
-
reporter -
assigned issue to
-
assigned issue to
-
reporter - changed status to resolved
Issue has been dormant for a while and the underlying specs already require this behaviour
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment