Re: [OAUTH-WG] best practice for Native app + state param?

George Fletcher <> Tue, 19 January 2016 19:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B77731B34E6 for <>; Tue, 19 Jan 2016 11:32:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MYybR2K5Kwup for <>; Tue, 19 Jan 2016 11:32:09 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3CBA91B34E2 for <>; Tue, 19 Jan 2016 11:32:09 -0800 (PST)
Received: from ( []) by (Outbound Mail Relay) with ESMTP id 5430238000BD; Tue, 19 Jan 2016 14:32:08 -0500 (EST)
Received: from [] (unknown []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (MUA/Third Party Client Interface) with ESMTPSA id ED6E538000089; Tue, 19 Jan 2016 14:32:07 -0500 (EST)
To: Lewis Adam-CAL022 <>
References: <> <>
From: George Fletcher <>
Organization: AOL LLC
Message-ID: <>
Date: Tue, 19 Jan 2016 14:32:07 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------090308090806070809010400"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; t=1453231928; bh=03Gv8pNf3e4rJPSIt7y7D1nSIRteMcsCGo51ZvEo+js=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=k55nslZkl//P1KHWxA+DChDrUwkLYiPM94OBzIW6M5//Zujn796oTHQyNfQePlHp2 C0ZTgDPuNnw/9gCkPbK3ynVsQLA58F/B78fLv61XDVKw4yhzH9hUVYjuDlkxe6RV3Z szavrIIU2Igc/3ZAM92PdZzwZy6SHFAFaU1L8xwM=
x-aol-sid: 3039ac1afe8d569e8f373f79
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] best practice for Native app + state param?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jan 2016 19:32:11 -0000

+1 to both using state and PKCE (especially when using system web 
controllers; e.g. safari-view-controller).

On 1/19/16 11:29 AM, Justin Richer wrote:
> I think there’s no advice because it’s not different: you should still be using the state parameter. Just use a random value with high enough entropy, which is also what most web applications do (the advice in the spec is weird and I think a remnant of Bradley making things too complicated in his advice). In a web app, it gets tied to the session cookie back on the server, you don’t need any particularly fancy binding beyond your usual session management. In a native app, just store it in the application before you send it and look it up on the way back to make sure it matches. Combine this with PKCE and you’ve got a pretty solid set of protections for native apps.
>   — Justin
>> On Jan 19, 2016, at 10:18 AM, Adam Lewis <> wrote:
>> Hi,
>> I have not been able to find any usage for the state parameter in authorization requests for native apps.  Further, the spec guidance of using a hash of the session cookie as the value of the state param doesn't apply for native apps.
>> draft-wdenniss-oauth-native-apps is silent on the matter.
>> Usage of state seems to be unique to clients conforming to the web app profile.
>> Bottom line, looking to vet that it's safe to omit the state parameter in the authorization request for native apps, and that I'm not missing something critical.
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list

Chief Architect
Identity Services Engineering     Work:
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter:
Office: +1-703-265-2544           Photos: