[Openid-specs-fapi] Issue #114: Require `state` (openid/fapi)
Nat Sakimura
issues-reply at bitbucket.org
Sat Jul 15 05:29:42 UTC 2017
New issue 114: Require `state`
https://bitbucket.org/openid/fapi/issues/114/require-state
Nat Sakimura:
Part 1 has the case of pure OAuth. We need `state` then for CSRF protection etc.
Also, `state` is pretty much the only parameter that can be used to identify the browser instance. BCM principles[1] advises to have all the parties identified in the message so we need browser identifier in the authorization request.
[1] https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf
Responsible: Nat
More information about the Openid-specs-fapi
mailing list