Encoding claims in the OAuth 2 state parameter using a JWT is an Internet Draft we last saw as https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-07

In the OAuth 2.0 Authorization protocol RFC 6749 , the Authorization Server SHOULD perform an exact string comparison of the "redirect_uri" parameter with the "redirect_uri" parameter registered by by the OAuth Client. This is essential for preventing token leakage to third parties in the OAuth Implicit Grant.

As a result of this OAuth Clients can not safely add extra query parameters to the "redirect_uri" parameter that encode additional client state information.

The Client MUST use the "state" parameter to encode both Cross-site request forgery protection and any other state information it wishes to preserve for itself regarding the Authorization Request.

This draft proposes a mechanism whereby multiple state attributes can be encoded into a JSON Web Token (JWT) RFC 7519 for use as the value of the "state" parameter.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 19-Jul-2017 08:44 by jim