Hi John, Thanks a lot for your explanation!
I am a bit confused regarding "state" parameter and cookies. I thought that "state" is included in redirection URI for user-agent and verified by client when Authorization server redirects user-agent back. It is a way to bind authorization request to response (4.1. Authorization Code Grant, steps (A) and (C)). Are the cookies really necessary in this case? Can they provide additional protection in case if redirect URI manipulated? Regards, Andrei. > -----Original Message----- > From: John Bradley [mailto:ve7...@ve7jtb.com] > Sent: Freitag, 25. April 2014 14:03 > To: Andrei Shakirin > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow > > Yes the server can be stateless, though it may need to store client > credentials > and user to validate against, and refresh token grants etc. > > The "state" parameter allows the client to maintain some state information > across the Oauth authorization request and response. > > Part of the use of that state information by the client allows it to protect > itself > from having authorization requests initiated by 3rd parties that is what Sec > 10.12 is talking about. > In that case the client can save state in a browser cookie or in the server > and > use that to validate the returned state value to assure itself that the > authorization request came from itself. > > John B. > > On Apr 25, 2014, at 4:08 AM, Andrei Shakirin <ashaki...@talend.com> wrote: > > > Hi Antonio, > > > > Thanks for your quick answer. > > Important for me is that OAuth2 doesn't force to store client or user-agent > states in the authorization server, so authorization server can be stateless > and > is not obligated to introduce the sessions at all. > > > > Regards, > > Andrei. > > > >> -----Original Message----- > >> From: Antonio Sanso [mailto:asa...@adobe.com] > >> Sent: Freitag, 25. April 2014 09:02 > >> To: Andrei Shakirin > >> Cc: oauth@ietf.org > >> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow > >> > >> hi Andrei, > >> > >> AFAIU session cookie management is beyond the scope of the OAuth2 > >> specification. > >> > >> regards > >> > >> antonio > >> > >> On Apr 24, 2014, at 6:39 PM, Andrei Shakirin <ashaki...@talend.com> > wrote: > >> > >>> Hi, > >>> > >>> My name is Andrei Shakirin, I am working with OAuth2 implementation > >>> in > >> Apache CXF project. > >>> Could you please help me to verify my understanding regarding of > >>> using > >> session cookies in OAuth2 flow. > >>> OAuth2 specification mentions session cookies in: > >>> 1) Section 3.1. Authorization Endpoint as possible way to > >>> authenticate > >> resource owner against authorization server > >>> 2) Section 10.12. Cross-Site Request Forgery as possible attack > >>> where end- > >> user follows a malicious URI to a trusting server including a valid > >> session cookie > >>> > >>> My current understanding is: > >>> a) using sessions between user-agent and authorization server is > >>> optional and > >> authorization server is not obligated to keep user state (in case if > >> user-agent provide authentication information with every request). > >>> b) in case if sessions are used (because of any reasons), > >>> authorization server > >> have to care about additional protection like hidden form fields in > >> order to uniquely identify the actual authorization request. > >>> > >>> Is this correct? > >>> > >>> Regards, > >>> Andrei. > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
