[Openid-specs-fapi] Issue #114: Require `state` (openid/fapi)

Nat Sakimura issues-reply at bitbucket.org
Sat Jul 15 05:29:42 UTC 2017

New issue 114: Require `state`

Nat Sakimura:

Part 1 has the case of pure OAuth. We need `state` then for CSRF protection etc. 
Also, `state` is pretty much the only parameter that can be used to identify the browser instance. BCM principles[1] advises to have all the parties identified in the message so we need browser identifier in the authorization request. 

[1] https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf

Responsible: Nat

More information about the Openid-specs-fapi mailing list