<div dir="ltr"><div>Hi,</div><div><br></div><div>I have an idea like this.</div><div><br></div><div>OAuth CSRF Protection Extension</div><div><br></div><div><a href="http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgT0F1dGggMi4wIENTUkYgUHJvdGVjdGlvbiBFeHRlbnNpb24KCnBhcnRpY2lwYW50ICJVc2VyQWdlbnQiAAoOQ2xpAAMSU2VydmVyABsPAF4HZWRSZXNvdXJjZSIKCgBNCS0-AEMGOiBCZWdpbiBBdXRob3JpemF0AIEGBQBgBi0-AFMGOiAAWwYgU3RhdGUgUmVxdWVzdApub3RlIHJpZ2h0IG9mIACBEwYKUE9TVCAvc3RhdGUKYwCBJwVfaWQ9YWFhCmVuZCBub3RlCgCBKAYAUwpJc3N1ZSBhbmQgU2F2ZSBzAIFIBV8APgUsIFxuAAQNX3NlY3JldCBcbiB3aXRoIABaCQCAfw8AggwGCnsKICIARAwiOiJ4eHgiLAAIDwBPByI6Inl5eQAZBQCBMgkiIDogImFhYSIsCn0AgTESAII9CACCEQ9zcG9uc2UAghsGbGVmAE1FZXhwaXJlc19pbiI6MzYwMACBAwwAgycJAIQYBiA6AIJEBnIAgQIHIHBhcmFtZXRlcnMAgjAGb3duIHNlcwCEcQYAg2QIAIRpCToAhAAOAINnCQCEMgsAhBAIAINuFkdFVCAvYQCESwdlPwoAgQAIX3R5cGU9Y29kZSYAhA4OJgouLi4KAINtDD14eHgAgVULAIQjEFZhbGlkYXRlAIN2CgCEOwUAhC8MAIUZBm92ZXIgAIZDCSwAhBAIAIVhDgBOGgCFDAVjb2RlAIRoBgBOEgCEFF0gImNvZGUAhH0Fenp6IgCDZQ0Ahj0IAIMbGwCEfwcAh2ETAIUMDgCDKgxjYWxsYmFjaz9jb2RlPXp6eiYAgnsbAIRlEVZlcmlmeQCCeQ4AiDsRQWNjZXNzIFRva2UAhFIKAIgxG3Rva2VuCmdyYW50AIQ7BgCEUggAiScFXwCESQYAiBETPXl5eSYKAIE_CQCEXhQAhD0kb2RlLACEXAtcbgCEWREAiQ0HAIgEEQCBWg8Ah3kcImEAghAFXwCBZwUiOiIuLi4AiSAFcmVmcmVzaAAIEC4uLgCHahQAi2EROiAAi3QIAIJvBwCHFBxwaQoAegw9AIIUDQCMPBEAjDcKAIxXCA&s=patent">http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgT0F1dGggMi4wIENTUkYgUHJvdGVjdGlvbiBFeHRlbnNpb24KCnBhcnRpY2lwYW50ICJVc2VyQWdlbnQiAAoOQ2xpAAMSU2VydmVyABsPAF4HZWRSZXNvdXJjZSIKCgBNCS0-AEMGOiBCZWdpbiBBdXRob3JpemF0AIEGBQBgBi0-AFMGOiAAWwYgU3RhdGUgUmVxdWVzdApub3RlIHJpZ2h0IG9mIACBEwYKUE9TVCAvc3RhdGUKYwCBJwVfaWQ9YWFhCmVuZCBub3RlCgCBKAYAUwpJc3N1ZSBhbmQgU2F2ZSBzAIFIBV8APgUsIFxuAAQNX3NlY3JldCBcbiB3aXRoIABaCQCAfw8AggwGCnsKICIARAwiOiJ4eHgiLAAIDwBPByI6Inl5eQAZBQCBMgkiIDogImFhYSIsCn0AgTESAII9CACCEQ9zcG9uc2UAghsGbGVmAE1FZXhwaXJlc19pbiI6MzYwMACBAwwAgycJAIQYBiA6AIJEBnIAgQIHIHBhcmFtZXRlcnMAgjAGb3duIHNlcwCEcQYAg2QIAIRpCToAhAAOAINnCQCEMgsAhBAIAINuFkdFVCAvYQCESwdlPwoAgQAIX3R5cGU9Y29kZSYAhA4OJgouLi4KAINtDD14eHgAgVULAIQjEFZhbGlkYXRlAIN2CgCEOwUAhC8MAIUZBm92ZXIgAIZDCSwAhBAIAIVhDgBOGgCFDAVjb2RlAIRoBgBOEgCEFF0gImNvZGUAhH0Fenp6IgCDZQ0Ahj0IAIMbGwCEfwcAh2ETAIUMDgCDKgxjYWxsYmFjaz9jb2RlPXp6eiYAgnsbAIRlEVZlcmlmeQCCeQ4AiDsRQWNjZXNzIFRva2UAhFIKAIgxG3Rva2VuCmdyYW50AIQ7BgCEUggAiScFXwCESQYAiBETPXl5eSYKAIE_CQCEXhQAhD0kb2RlLACEXAtcbgCEWREAiQ0HAIgEEQCBWg8Ah3kcImEAghAFXwCBZwUiOiIuLi4AiSAFcmVmcmVzaAAIEC4uLgCHahQAi2EROiAAi3QIAIJvBwCHFBxwaQoAegw9AIIUDQCMPBEAjDcKAIxXCA&s=patent</a></div>
<div><br></div><div>(There is not draft specifications about this yet.)</div><div><br></div><div>About confidential clients, there are clients who has risk of CSRF without using the state parameter correctly, but it is not easy for server to detect these clients.</div>
<div>I think that the string of tcs( and tcsh) in your specifications should be generated on the Server-side.<br></div><div><br></div><div>Ryo.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/29 Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">As some of you knows, passing the code securely to a native app on iOS platform is next to impossible. Malicious application may register the same custom scheme as the victim application and hope to obtain the code, whose success rate is rather high. <div>

<br></div><div>We have discussed about it during the OpenID Conenct Meeting at IETF 87 today, and I have captured the discussion in the form of I-D. It is pretty short and hopefully easy to read. </div><div><br></div><div>

You can find it at: </div><div><br></div><div><a href="https://bitbucket.org/Nat/drafts/src/" target="_blank">https://bitbucket.org/Nat/drafts/src/</a></div><div><br></div><div>Comments are welcome. </div><span class="HOEnZb"><font color="#888888"><div>
<div><br></div>-- <br>Nat Sakimura (=nat)<div>
Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div></font></span></div>
<br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>====================<br>Ryo Ito<br>Email : <a href="mailto:ritou.06@gmail.com">ritou.06@gmail.com</a><br>====================
</div>