[Openid-specs-fapi] Issue #205: Add requirement for Client to verify state matches session (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Wed Jan 2 15:40:08 UTC 2019


New issue 205: Add requirement for Client to verify state matches session
https://bitbucket.org/openid/fapi/issues/205/add-requirement-for-client-to-verify-state

Dave Tonge:

We discussed on the call that we probably need to add a clause that explicitly requires the client to verify the state it has received in the authorization response. While this is mentioned in the core specs, it should be emphasised in FAPI as a failure for a client to do this would make the client open to a "Cross-browser Payment Initiation Attack" for payment apis.

We discussed that this clause should reference the security BCP

Responsible: tlodderstedt


More information about the Openid-specs-fapi mailing list