!!! Overview
[{$pagename}] is an [Internet Draft] we last saw as [https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09|https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09|target='_blank']

In the [OAuth 2.0] Authorization [protocol] [RFC 6749] , the [Authorization Server] [SHOULD] perform an exact string comparison of the "[redirect_uri]" parameter with the "[redirect_uri]" parameter registered by by the [OAuth Client].  This is essential for preventing token [leakage|Credential Leakage] to third parties in the OAuth [Implicit Grant].

As a result of this [OAuth Clients] can not safely add extra query parameters to the "[redirect_uri]" parameter that encode additional client [OAuth state parameter] information.

The Client [MUST] use the [OAuth state parameter] to encode both [Cross-site request forgery] protection and any other state information it wishes to preserve for itself regarding the [Authorization Request].

This draft proposes a mechanism whereby multiple state attributes can be encoded into a [JSON Web Token] ([JWT]) [RFC 7519] for use as the value of the "[state|OAuth state parameter]" parameter.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]