Agreed. Also, pointing to OWASP guide or something for CSRF token may be useful. On Tue, May 10, 2016 at 11:37 Daniel Fett <f...@uni-trier.de> wrote:
> Regardless of what state actually is, the documentation (also the one > for OIDC) should make clear that the same state should not be sent to > two different AS, and that a state issued for AS #1 should be invalid > for AS #2. > > Am 10.05.2016 um 09:31 schrieb Anthony Nadalin: > > STATE can be anything, it does not have to be a NONCE so changing this > > would cause issues at this time for existing deployments > > > > > > > > *From:*OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Nat Sakimura > > *Sent:* Monday, May 9, 2016 7:34 PM > > *To:* Guido Schmitz <g.schm...@gtrs.de>; oauth@ietf.org > > *Subject:* Re: [OAUTH-WG] Multi-AS State Re-Use > > > > > > > > As far as I am aware of, state was meant to be nonce. Replay possibility > > etc. were known. It is probably a bad documentation that every reviewers > > missed because they were assuming it. > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
