Re: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT

Vittorio Bertocci <> Thu, 07 May 2020 20:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 67DA53A0D66 for <>; Thu, 7 May 2020 13:29:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8eYMaQOS2vCc for <>; Thu, 7 May 2020 13:29:42 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0EBC33A0D63 for <>; Thu, 7 May 2020 13:29:41 -0700 (PDT)
Received: by with SMTP id fu13so3146006pjb.5 for <>; Thu, 07 May 2020 13:29:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=Tlo/D8XYULWbKvg5+bABHM3KS9fKNgZKvVMS7t0p0eI=; b=JIfCErmFQurMe+hVaO74lKGTQ3dMBkM5QqnGyTDeZsf01FmvXB5KNX2PwJHNqE+KFF POcX58aATerAPzRXXl/3kH7aFuZp3i0fpaCWdF3eM3oB+qEwfC+9ZlIBLDfHCD0QIUhz /+sOV1BkK7KP9YAg2wK3h1RdcnNcRWs+LKKZgZzjdt08PyFwux7qmyUYn0vUPg5KWWnU SoJrydD5KzIEVXFUCLG5pKNBL0VLs/5yzd2htU8UCHHHvCak7HPyvSiaV730OzGQatl2 dvdBlWbKuEL5jzWfZvUvXqZU7bdLU+m+Cs/uh3jtppVL4IG2JPLalx+6KejWyAA2seOs IIww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :mime-version; bh=Tlo/D8XYULWbKvg5+bABHM3KS9fKNgZKvVMS7t0p0eI=; b=bgZXdcV3F+usZhSDQV0mRVxerIfbt8DPNXb/16U3iI5IsyzY1XPobJ22KXWWImK4W1 fq8kBOO9W9ztpP2Qx28UmA75VqTnxOudxYuYfC6hoUA564CFCi4tnLhAikvVhsE2zO9R WnbfoxxkXyCRphHvFGlFONl5WAV7xs/RTTYuPwnWecxOuIxYHHYTxvN81RX9qWxoa6Oo rg+PbiWitsckLMeKUc2DGZeej2CB4+6AwuX++KlELmcbTsIXNlxNPfxGVpZJsv2DARbT hsF+QaGW+qr4wxRLta9ANT41AYt2DvxzXhHUcWLOkn9LO2RD9/7tWJC/0Po4qNgR/weQ PzEA==
X-Gm-Message-State: AGi0PuZzGm5xzHyVh9BRb+7+AJZRMSxGoz0azBIQn7zFu0O+6Dciw864 77uovjUL9kUP9z7YTA+9ZMfg0Q==
X-Google-Smtp-Source: APiQypJJgaEdVKLdCz6nGRuJiw/LjsnVi8CVU4EIAlpCIDj12tVKxHMxW3Vydz/txTRvWms+8itRIw==
X-Received: by 2002:a17:902:8b88:: with SMTP id ay8mr14706412plb.235.1588883380851; Thu, 07 May 2020 13:29:40 -0700 (PDT)
Received: from ([2603:1036:120:1d::5]) by with ESMTPSA id e11sm5765851pfl.85.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 May 2020 13:29:40 -0700 (PDT)
From: Vittorio Bertocci <>
To: Prabath Siriwardena <>, Rifaat Shekh-Yusef <>, oauth <>
Thread-Topic: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT
Thread-Index: AQHWJKHhl0Ukw7EDckG/tFQCgawZQqidEzCF
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 07 May 2020 20:29:38 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_MWHPR19MB15017968B740A220A3896A7AAEA50MWHPR19MB1501namp_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 May 2020 20:29:45 -0000

Hi Prabath,
Thanks for your comment! Here are my thoughts.
I don’t believe embedding the state in the AT would help. The state is generated (hence verified, if used for protection) by the client, but the content of the AT is really meant for the RS, which has no direct knowledge of what the state value should be, not in the first nor all the subsequent uses of the AT within its validity period. Also, the client itself is forbidden to inspect the content of the access token- you can find the details behind that in recent discussions on the list.
I’ll add to this that the implicit grant is on its way out of the grants stage, hence doing major changes to accommodate its quirks wouldn’t give a lot of ROI.

From: OAuth <> on behalf of Prabath Siriwardena <>
Date: Thursday, May 7, 2020 at 11:56
To: Rifaat Shekh-Yusef <>, oauth <>
Subject: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT

Hi all,

Can we say in [1], that the AS should add the value of state parameter from the authorization request (if present), to the JWT access token it generates?

This will help to address token injection issue [2], with respect to the implicit grant type.

Appreciate your thoughts on this.



On Tue, May 5, 2020 at 11:19 AM Rifaat Shekh-Yusef <<>> wrote:
Hi all,

This is a 3rd working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens".

Here is the document:

Please send your comments to the OAuth mailing list by May 12, 2020.

 Rifaat & Hannes
OAuth mailing list<>