> On 17. Nov 2019, at 05:42, Vineet Banga <vineetba...@google.com> wrote: > > > On Fri, Nov 15, 2019 at 11:51 PM Torsten Lodderstedt > <tors...@lodderstedt.net> wrote: > > >> On 16. Nov 2019, at 02:07, Vineet Banga > >> <vineetbanga=40google....@dmarc.ietf.org> wrote: > >> > >> Just one comment/question at the moment: > > >3.1.1 - Is there any recommendation around leveraging state vs using > > >multiple URIs (with exact match) to remember the application state of the > > >client? I have seen exploding list of registered redirect URIs, but am not > > >aware of any security issues around this usage. But would like to check if > > >there are any opinions on this matter.. > > >The BCP recommends transaction specific one time use state values for CSRF > >prevention. To achieve the same protection level with redirect URI’s and > >exact match, one would need to register per transaction redirect URI values. > > >Do your redirect URIs meet those requirements? > No. I think the options are using state for purely csrf or using > [I-D.bradley-oauth-jwt-encoded-state], which is called our in the BCP. Using > encoded jwt can be used to limit the number of redirect uris.
So you are saying "state" is used for CSRF. Then what is the rational of your original question? To move towards application state encoded in redirect URIs? > > > > > > > > > > > On Wed, Nov 6, 2019 at 12:27 AM Hannes Tschofenig > > <hannes.tschofe...@arm.com> wrote: > > Hi all, > > > > this is a working group last call for "OAuth 2.0 Security Best Current > > Practice". > > > > Here is the document: > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 > > > > Please send you comments to the OAuth mailing list by Nov. 27, 2019. > > (We use a three week WGLC because of the IETF meeting.) > > > > Ciao > > Hannes & Rifaat > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > > confidential and may also be privileged. If you are not the intended > > recipient, please notify the sender immediately and do not disclose the > > contents to any other person, use it for any purpose, or store or copy the > > information in any medium. Thank you. > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
