Re: [OAUTH-WG] best practice for Native app + state param?

Justin Richer <> Tue, 19 January 2016 16:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C1DE91B31F8 for <>; Tue, 19 Jan 2016 08:29:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.303
X-Spam-Status: No, score=-2.303 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZMUgKY05OKG4 for <>; Tue, 19 Jan 2016 08:29:12 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CAB9B1B31F6 for <>; Tue, 19 Jan 2016 08:29:11 -0800 (PST)
X-AuditID: 1209190d-f79306d000006b70-6f-569e6456935d
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id A6.F9.27504.6546E965; Tue, 19 Jan 2016 11:29:10 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id u0JGT9Do031979; Tue, 19 Jan 2016 11:29:10 -0500
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id u0JGT76Z022618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 19 Jan 2016 11:29:09 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <>
In-Reply-To: <>
Date: Tue, 19 Jan 2016 11:29:05 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Lewis Adam-CAL022 <>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrBuWMi/M4GKvlMXObT9ZLU6+fcXm wOSxZMlPJo8JE3+wBDBFcdmkpOZklqUW6dslcGW8+3CNrWA7T8WtGU1sDYyNXF2MnBwSAiYS z9d/YIewxSQu3FvP1sXIxSEksJhJ4vCZWcwQzkZGiWXLDrNDOLeZJN7tPgjWwiygLvFn3iVm EJtXQE/i1a3LrCC2sICzxLcf+5hAbDYBVYnpa1qAbA4OToFAiZ5lUiBhFqDwtvsf2UHCIGPa T7pATNSWWLbwNTNImFfASmL72RKQsJBAgMSvrkaw4SICFhJbX15hgrhZVmL370dMExgFZyG5 ZxaSe2YhmbqAkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrpFebmaJXmpK6SZGcPBK8u5gfHdQ 6RCjAAejEg/vC8e5YUKsiWXFlbmHGCU5mJREeY0i5oUJ8SXlp1RmJBZnxBeV5qQWH2KU4GBW EuG9FweU401JrKxKLcqHSUlzsCiJ8+7qAJokkJ5YkpqdmlqQWgSTleHgUJLgvZ0E1ChYlJqe WpGWmVOCkGbi4AQZzgM0vASkhre4IDG3ODMdIn+KUVFKnPcSSEIAJJFRmgfXC0ouCW8Pm75i FAd6RZhXIBmoigeYmOC6XwENZgIa/NNjNsjgkkSElFQD47wduUqSESlPi04byQY3L2I7ZcJh d91Vvv2QflAEY/eN28wXCk4yyIhNdHi1oslf5MqT81/eabV8033mPvvUz1c5iv9OHFd8Pllt 1Rv+C1fT2J1nuIdne/Jm/X+z4JDqGWvrPS+nHPFg2/zx3PvDklbXnoZlLf/JPemCisC87rJ9 21ZzefrtqVJiKc5INNRiLipOBAAzpUiGCQMAAA==
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] best practice for Native app + state param?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jan 2016 16:29:14 -0000

I think there’s no advice because it’s not different: you should still be using the state parameter. Just use a random value with high enough entropy, which is also what most web applications do (the advice in the spec is weird and I think a remnant of Bradley making things too complicated in his advice). In a web app, it gets tied to the session cookie back on the server, you don’t need any particularly fancy binding beyond your usual session management. In a native app, just store it in the application before you send it and look it up on the way back to make sure it matches. Combine this with PKCE and you’ve got a pretty solid set of protections for native apps.

 — Justin

> On Jan 19, 2016, at 10:18 AM, Adam Lewis <> wrote:
> Hi,
> I have not been able to find any usage for the state parameter in authorization requests for native apps.  Further, the spec guidance of using a hash of the session cookie as the value of the state param doesn't apply for native apps.
> draft-wdenniss-oauth-native-apps is silent on the matter.
> Usage of state seems to be unique to clients conforming to the web app profile.
> Bottom line, looking to vet that it's safe to omit the state parameter in the authorization request for native apps, and that I'm not missing something critical.
> _______________________________________________
> OAuth mailing list