Re: [OAUTH-WG] How an AS can validate the state parameter?
Eran Hammer <eran@hueniverse.com> Thu, 08 March 2012 00:22 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1CBC11E80A1 for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 16:22:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVVaqoR0zpYg for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 16:22:23 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id D565D11E8094 for <oauth@ietf.org>; Wed, 7 Mar 2012 16:22:23 -0800 (PST)
Received: (qmail 17659 invoked from network); 8 Mar 2012 00:22:23 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 8 Mar 2012 00:22:23 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Wed, 7 Mar 2012 17:22:07 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Andrew Arnott <andrewarnott@gmail.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Wed, 07 Mar 2012 17:21:58 -0700
Thread-Topic: [OAUTH-WG] How an AS can validate the state parameter?
Thread-Index: AczvHDhFISNzBSQ3RAC7Me1xuWvrhQNpTaxQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AFCD407E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAE358b4oLN_AFWyt=G_9AE35TH7JEv=p9GorhTNdB3-Vj1NesA@mail.gmail.com>
In-Reply-To: <CAE358b4oLN_AFWyt=G_9AE35TH7JEv=p9GorhTNdB3-Vj1NesA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD407EP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] How an AS can validate the state parameter?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 00:22:24 -0000
Can't validate, but can sanitize. EH From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Andrew Arnott Sent: Sunday, February 19, 2012 7:36 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] How an AS can validate the state parameter? >From section 10.14: (draft 23) The Authorization server and client MUST validate and sanitize any value received, and in particular, the value of the state and redirect_uri parameters. Elsewhere in the spec the AS is instructed to exactly preserve the state and to consider it an opaque value. How then, can an AS validate and sanitize the state parameter? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
- [OAUTH-WG] How an AS can validate the state param… Andrew Arnott
- Re: [OAUTH-WG] How an AS can validate the state p… Eran Hammer