Thanks Vittorio for your thoughts!
On Thu, May 7, 2020 at 1:29 PM Vittorio Bertocci <vittorio.bertocci= 40auth0....@dmarc.ietf.org> wrote: > Hi Prabath, > > Thanks for your comment! Here are my thoughts. > > I don’t believe embedding the state in the AT would help. The state is > generated (hence verified, if used for protection) by the client, but the > content of the AT is really meant for the RS, which has no direct knowledge > of what the state value should be, not in the first nor all the subsequent > uses of the AT within its validity period. Also, the client itself is > forbidden to inspect the content of the access token- you can find the > details behind that in recent discussions on the list. > > I’ll add to this that the implicit grant is on its way out of the grants > stage, hence doing major changes to accommodate its quirks wouldn’t give a > lot of ROI. > > HTH > > Thanks! > > V. > > > > *From: *OAuth <oauth-boun...@ietf.org> on behalf of Prabath Siriwardena > <prabath=40wso2....@dmarc.ietf.org> > *Date: *Thursday, May 7, 2020 at 11:56 > *To: *Rifaat Shekh-Yusef <rifaat.i...@gmail.com>, oauth <oauth@ietf.org> > *Subject: *[OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding > state into the JWT > > > > Hi all, > > > > Can we say in [1], that the AS should add the value of *state* parameter > from the authorization request (if present), to the JWT access token it > generates? > > > > This will help to address token injection issue [2], with respect to the > implicit grant type. > > > > Appreciate your thoughts on this. > > > > [1]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 > > [2]: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4..6 > > > > Thanks > > -Prabath > > > > On Tue, May 5, 2020 at 11:19 AM Rifaat Shekh-Yusef <rifaat.i...@gmail.com> > wrote: > > Hi all, > > > > This is a 3rd working group last call for "JSON Web Token (JWT) Profile > for OAuth 2.0 Access Tokens". > > > > Here is the document: > > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 > > > > Please send your comments to the OAuth mailing list by May 12, 2020. > > > > Regards, > > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
