Hi Prabath, Thanks for your comment! Here are my thoughts. I don’t believe embedding the state in the AT would help. The state is generated (hence verified, if used for protection) by the client, but the content of the AT is really meant for the RS, which has no direct knowledge of what the state value should be, not in the first nor all the subsequent uses of the AT within its validity period. Also, the client itself is forbidden to inspect the content of the access token- you can find the details behind that in recent discussions on the list. I’ll add to this that the implicit grant is on its way out of the grants stage, hence doing major changes to accommodate its quirks wouldn’t give a lot of ROI. HTH Thanks! V.
From: OAuth <oauth-boun...@ietf.org> on behalf of Prabath Siriwardena <prabath=40wso2....@dmarc.ietf.org> Date: Thursday, May 7, 2020 at 11:56 To: Rifaat Shekh-Yusef <rifaat.i...@gmail.com>, oauth <oauth@ietf.org> Subject: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT Hi all, Can we say in [1], that the AS should add the value of state parameter from the authorization request (if present), to the JWT access token it generates? This will help to address token injection issue [2], with respect to the implicit grant type. Appreciate your thoughts on this. [1]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 [2]: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.6 Thanks -Prabath On Tue, May 5, 2020 at 11:19 AM Rifaat Shekh-Yusef <rifaat.i...@gmail.com<mailto:rifaat.i...@gmail.com>> wrote: Hi all, This is a 3rd working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 Please send your comments to the OAuth mailing list by May 12, 2020. Regards, Rifaat & Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
