Announcement Announcement Module
No announcement yet.
OAuth 2 support for state in authorization Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth 2 support for state in authorization

    According to the specification it is strongly RECOMMENDED that the client includes the "state" request parameter with authorization requests to the authorization server to mitigate against CSRF attacks, particularly for login CSRF attacks: draft-ietf-oauth-v2-20#section-10.12

    This doesn't seem to work until now, because apart from SECOAUTH-123, which delivers the string "null" as redirect uri if we have a state and no pre-established redirect uri, there seems to be no way to add a state dynamically to the authorization request. As far as I can see the only place to set a state would be AuthorizationCodeResourceDetails, but since this should be a singleton, the state cannot by dynamic (i.e. different for each request).

    Is this correct? If not, how should it be possible to add a dynamic state parameter to the authorization request?

    Best regards and thanks in advance

  • #2
    Seems like SECOAUTH-96 is the answer to my question. So this won't work until this issue is resolved.