[Openid-specs-fapi] Issue #257: state is required for non-OpenID-Clients now, PCKE should be as well (openid/fapi)
tlodderstedt
issues-reply at bitbucket.org
Wed Jul 24 14:41:09 UTC 2019
New issue 257: state is required for non-OpenID-Clients now, PCKE should be as well
https://bitbucket.org/openid/fapi/issues/257/state-is-required-for-non-openid-clients
Torsten Lodderstedt:
state can be used to detect CSRF, not code injection
that’s the reason the Security BCP makes PCKE mandatory for any OAuth client
I therefore think we should add this requirement to FAPI R.
More information about the Openid-specs-fapi
mailing list