From: Shane Weeden <swee...@au1.ibm.com<mailto:swee...@au1.ibm.com>> Date: Tue, 5 Jul 2011 13:24:36 –0700
6. Section 4.1.1 Authorization Request and section 4.2.1 Authorization Request To protect against CSRF I believe the state parameter should be REQUIRED, unless someone can demonstrate a scenario where it is not used and CSRF is avoided by other means. We need more text explaining exactly how the state parameter should be used to prevent CSRF if we are going to make it required (I don't have a position on the actual proposal). Otherwise, including it with a fixed value satisfy the requirement without adding any value (just wasting bandwidth). EHL
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
