[Openid-specs-fapi] Issue #610: Ability for AS to reject requests that have suspicious state/nonce or other params (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Wed Jun 21 16:01:51 UTC 2023
New issue 610: Ability for AS to reject requests that have suspicious state/nonce or other params
https://bitbucket.org/openid/fapi/issues/610/ability-for-as-to-reject-requests-that
Dave Tonge:
As issue was raised via email about whether it was acceptable for an AS to reject requests that have suspicious state or nonce values. .e.g with a <script> tag or something similar.
Although the AS shouldn’t be processing such values, the worry was that by not blocking such requests, the AS may be facilitating a XSS attack..
We discussed on the call today that:
1. Nothing is stopping an AS blocking requests that it considers suspicious, e.g. with a <script tag
2. An AS must not wholesale block certain characters, e.g. “<“ - the AS should accept any random state/nonce value that complies with the underlying specs. The conformance suite generated random values for state and nonce.
Please chime in if you have any other view on the above
More information about the Openid-specs-fapi
mailing list