Results 1 to 2 of 2

Thread: OAuth 2 support for state in authorization

  1. Sep 29th, 2011, 09:31 AM #1
    dante
    dante is offline Junior Member
    Join Date
    Aug 2011
    Posts
    11

    Default OAuth 2 support for state in authorization

    According to the specification it is strongly RECOMMENDED that the client includes the "state" request parameter with authorization requests to the authorization server to mitigate against CSRF attacks, particularly for login CSRF attacks: draft-ietf-oauth-v2-20#section-10.12

    This doesn't seem to work until now, because apart from SECOAUTH-123, which delivers the string "null" as redirect uri if we have a state and no pre-established redirect uri, there seems to be no way to add a state dynamically to the authorization request. As far as I can see the only place to set a state would be AuthorizationCodeResourceDetails, but since this should be a singleton, the state cannot by dynamic (i.e. different for each request).

    Is this correct? If not, how should it be possible to add a dynamic state parameter to the authorization request?

    Best regards and thanks in advance
    Reply With Quote Reply With Quote
  2. Sep 29th, 2011, 05:08 PM #2
    dante
    dante is offline Junior Member
    Join Date
    Aug 2011
    Posts
    11

    Default

    Seems like SECOAUTH-96 is the answer to my question. So this won't work until this issue is resolved.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules