Sep 29th, 2011, 09:31 AM
OAuth 2 support for state in authorization
According to the specification it is strongly RECOMMENDED that the client includes the "state" request parameter with authorization requests to the authorization server to mitigate against CSRF attacks, particularly for login CSRF attacks: draft-ietf-oauth-v2-20#section-10.12
This doesn't seem to work until now, because apart from SECOAUTH-123, which delivers the string "null" as redirect uri if we have a state and no pre-established redirect uri, there seems to be no way to add a state dynamically to the authorization request. As far as I can see the only place to set a state would be AuthorizationCodeResourceDetails, but since this should be a singleton, the state cannot by dynamic (i.e. different for each request).
Is this correct? If not, how should it be possible to add a dynamic state parameter to the authorization request?
Best regards and thanks in advance
Sep 29th, 2011, 05:08 PM
Seems like SECOAUTH-96 is the answer to my question. So this won't work until this issue is resolved.