This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Encoding claims in the OAuth 2 state parameter using a JWT
Encoding claims in the OAuth 2 state parameter using a JWT

Version management

Difference between version and

At line 1 added 15 lines
!!! Overview
[{$pagename}] is an [Internet Draft] we last saw as [https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09|https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09|target='_blank']
In the [OAuth 2.0] Authorization [protocol] [RFC 6749] , the [Authorization Server] [SHOULD] perform an exact string comparison of the "[redirect_uri]" parameter with the "[redirect_uri]" parameter registered by by the [OAuth Client]. This is essential for preventing token [leakage|Credential Leakage] to third parties in the OAuth [Implicit Grant].
As a result of this [OAuth Clients] can not safely add extra query parameters to the "[redirect_uri]" parameter that encode additional client [OAuth state parameter] information.
The Client [MUST] use the [OAuth state parameter] to encode both [Cross-site request forgery] protection and any other state information it wishes to preserve for itself regarding the [Authorization Request].
This draft proposes a mechanism whereby multiple state attributes can be encoded into a [JSON Web Token] ([JWT]) [RFC 7519] for use as the value of the "[state|OAuth state parameter]" parameter.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop