[Openid-specs-fapi] Issue #205: Add requirement for Client to verify state matches session (openid/fapi)
issues-reply at bitbucket.org
Wed Jan 2 15:40:08 UTC 2019
New issue 205: Add requirement for Client to verify state matches session
We discussed on the call that we probably need to add a clause that explicitly requires the client to verify the state it has received in the authorization response. While this is mentioned in the core specs, it should be emphasised in FAPI as a failure for a client to do this would make the client open to a "Cross-browser Payment Initiation Attack" for payment apis.
We discussed that this clause should reference the security BCP
More information about the Openid-specs-fapi