[OAUTH-WG] Session cookies in OAuth2 flow

Andrei Shakirin <ashakirin@talend.com> Thu, 24 April 2014 16:39 UTC

Return-Path: <ashakirin@talend.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id A65EF1A037A for <oauth@ietfa.amsl.com>; Thu, 24 Apr 2014 09:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9s80zjTccYv0 for <oauth@ietfa.amsl.com>; Thu, 24 Apr 2014 09:39:54 -0700 (PDT)
Received: from mxout.myoutlookonline.com (mxout.myoutlookonline.com []) by ietfa.amsl.com (Postfix) with ESMTP id DCDDB1A01E1 for <oauth@ietf.org>; Thu, 24 Apr 2014 09:39:53 -0700 (PDT)
Received: from mxout.myoutlookonline.com (localhost []) by mxout.myoutlookonline.com (Postfix) with ESMTP id B92457B355D for <oauth@ietf.org>; Thu, 24 Apr 2014 12:39:46 -0400 (EDT)
X-Virus-Scanned: by SpamTitan at mail.lan
Received: from S10HUB001.SH10.lan (unknown []) by mxout.myoutlookonline.com (Postfix) with ESMTP id 140E17B336E for <oauth@ietf.org>; Thu, 24 Apr 2014 12:39:46 -0400 (EDT)
Received: from S10BE002.SH10.lan ([::1]) by S10HUB001.SH10.lan ([::1]) with mapi id 14.01.0438.000; Thu, 24 Apr 2014 12:39:46 -0400
From: Andrei Shakirin <ashakirin@talend.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Session cookies in OAuth2 flow
Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSsw==
Date: Thu, 24 Apr 2014 16:39:45 +0000
Message-ID: <D225CD69196F3F4A9F4174B2FCA06F8811EC7E92@S10BE002.SH10.lan>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YaB1YYYkG7GB0wneohxQh_WkONo
Subject: [OAUTH-WG] Session cookies in OAuth2 flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 16:41:43 -0000


My name is Andrei Shakirin, I am working with OAuth2 implementation in Apache CXF project.
Could you please help me to verify my understanding regarding of using session cookies in OAuth2 flow.
OAuth2 specification mentions session cookies in:
1) Section 3.1. Authorization Endpoint as possible way to authenticate resource owner against authorization server
2) Section 10.12. Cross-Site Request Forgery as possible attack where end-user follows a malicious URI to a trusting server including a valid session cookie

My current understanding is:
a) using sessions between user-agent and authorization server is optional and authorization server is not obligated to keep user state (in case if user-agent provide authentication information with every request).
b) in case if sessions are used (because of any reasons), authorization server have to care about additional protection like hidden form fields in order to uniquely identify the actual authorization request.

Is this correct?