[OAUTH-WG] How an AS can validate the state parameter?
Andrew Arnott <andrewarnott@gmail.com> Sun, 19 February 2012 15:36 UTC
Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF2121F8554 for <oauth@ietfa.amsl.com>; Sun, 19 Feb 2012 07:36:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMt1FCct+P6C for <oauth@ietfa.amsl.com>; Sun, 19 Feb 2012 07:36:12 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id B1B5121F8552 for <oauth@ietf.org>; Sun, 19 Feb 2012 07:36:12 -0800 (PST)
Received: by qafi29 with SMTP id i29so2347187qaf.10 for <oauth@ietf.org>; Sun, 19 Feb 2012 07:36:12 -0800 (PST)
Received-SPF: pass (google.com: domain of andrewarnott@gmail.com designates 10.229.135.201 as permitted sender) client-ip=10.229.135.201;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of andrewarnott@gmail.com designates 10.229.135.201 as permitted sender) smtp.mail=andrewarnott@gmail.com; dkim=pass header.i=andrewarnott@gmail.com
Received: from mr.google.com ([10.229.135.201]) by 10.229.135.201 with SMTP id o9mr12444292qct.148.1329665772296 (num_hops = 1); Sun, 19 Feb 2012 07:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=ranvJbWyYz+9/PkJ/n8idp4dLgavaS5NAyzHkUdg98E=; b=i8gLc+kZT3ugTT3OIPsGhQUqmm24uPlXrMsFI9KYZfkBdTipkDceMlpCQSZx3iMNGE lJ3VzF1OCREDh5mIXDRrShP+o7UFaMGv1EslXAD9Ro8dlTS9kOcBLxtsAYhKLnXCmbNh zw90C3tBeyGJvCzH7AZPVEveVSctWPvl3YwcE=
Received: by 10.229.135.201 with SMTP id o9mr10588219qct.148.1329665772209; Sun, 19 Feb 2012 07:36:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.25.8 with HTTP; Sun, 19 Feb 2012 07:35:52 -0800 (PST)
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Sun, 19 Feb 2012 07:35:52 -0800
Message-ID: <CAE358b4oLN_AFWyt=G_9AE35TH7JEv=p9GorhTNdB3-Vj1NesA@mail.gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00248c6a862e05c6df04b952f033"
Subject: [OAUTH-WG] How an AS can validate the state parameter?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2012 15:36:13 -0000
>From section 10.14: (draft 23) > > The Authorization server and client MUST validate and sanitize any value > received, and in particular, the value of the state and redirect_uri > parameters. Elsewhere in the spec the AS is instructed to exactly preserve the state and to consider it an opaque value. How then, can an AS validate and sanitize the state parameter? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
- [OAUTH-WG] How an AS can validate the state param… Andrew Arnott
- Re: [OAUTH-WG] How an AS can validate the state p… Eran Hammer