> On 16. Nov 2019, at 02:07, Vineet Banga > <vineetbanga=40google....@dmarc.ietf.org> wrote: > > Just one comment/question at the moment: > 3.1.1 - Is there any recommendation around leveraging state vs using multiple > URIs (with exact match) to remember the application state of the client? I > have seen exploding list of registered redirect URIs, but am not aware of any > security issues around this usage. But would like to check if there are any > opinions on this matter..
The BCP recommends transaction specific one time use state values for CSRF prevention. To achieve the same protection level with redirect URI’s and exact match, one would need to register per transaction redirect URI values. Do your redirect URIs meet those requirements? > > > On Wed, Nov 6, 2019 at 12:27 AM Hannes Tschofenig <hannes.tschofe...@arm.com> > wrote: > Hi all, > > this is a working group last call for "OAuth 2.0 Security Best Current > Practice". > > Here is the document: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 > > Please send you comments to the OAuth mailing list by Nov. 27, 2019. > (We use a three week WGLC because of the IETF meeting.) > > Ciao > Hannes & Rifaat > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
