Hi Eran,
This is still just a CSRF attack.
I think you may be right. I still believe this particular style of attack on the
authorization server is worth mentioning, be it in its own separate section or
under the existing CSRF section (as you suggested).
This is not a style of attack but techn
My intention is to require clients to implement CSRF prevention. I
thought making the state parameter mandatory would be the
straightforward way.
regards,
Torsten.
Am 18.08.2011 08:04, schrieb Eran Hammer-Lahav:
I would like to hear from the other 3 authors of the proposed change
about thei
I light to the recent discussion, do you still feel that changing 'state' from
optional to required is the best approach?
EHL
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Sunday, August 21, 2011 11:04 AM
To: Eran Hammer-Lahav
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-
So far Facebook has used `state` in examples within our documentation
and strongly recommend it but have not gone so far as to mandate it.
Quoting https://developers.facebook.com/docs/authentication/:
> Cross site request forgery is an attack in which an trusted (authenticated
> and authorized) us
I think the complication here is that CSRF issues are multi-site issues where
the attacker cross connecting his client with a victims resource, or a victims
client with the attackers resource.
So while an individual site (e.g. Facebook) may presume little or no risk -
there is a network effect
> -Original Message-
> From: Phil Hunt [mailto:phil.h...@oracle.com]
> Sent: Sunday, August 21, 2011 10:39 PM
> To: David Recordon
> Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
> I think the complication here is that CSRF issues are
