Well hey now.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
is one of the more popular resources on CSRF at OWASP.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) is
also pretty popular and points to a wide variety of resources on the t
Agreed. Also, pointing to OWASP guide or something for CSRF token may be
useful.
On Tue, May 10, 2016 at 11:37 Daniel Fett wrote:
> Regardless of what state actually is, the documentation (also the one
> for OIDC) should make clear that the same state should not be sent to
> two different AS, and
That's a very value scenario actually. Even so that it should actually be
handled in the draft.
Scenario: In the continuum of large and small devices an unconstrained
client and AS goes through the hoops of issuing a token using standard
(HTTP/JSON). The Resource Server however is constrained and w
Hi all,
End of April I had the chance to talk to Michael Barroco (from the
European Broadcasting Union) and to Chris Needham (from the BBC)
regarding their use of OAuth 2.0 for broadcasters.
In March Michael dropped a mail to the OAuth mailing list to make us
aware of their work, see
https://www.
