Encoding claims in the OAuth 2 state parameter using a JWT

Overview#

Encoding claims in the OAuth 2 state parameter using a JWT is an Internet Draft we last saw as https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-09

In the OAuth 2.0 Authorization protocol RFC 6749 , the Authorization Server SHOULD perform an exact string comparison of the "redirect_uri" parameter with the "redirect_uri" parameter registered by by the OAuth Client. This is essential for preventing token leakage to third parties in the OAuth Implicit Grant.

As a result of this OAuth Clients can not safely add extra query parameters to the "redirect_uri" parameter that encode additional client OAuth state parameter information.

The Client MUST use the OAuth state parameter to encode both Cross-site request forgery protection and any other state information it wishes to preserve for itself regarding the Authorization Request.

This draft proposes a mechanism whereby multiple state attributes can be encoded into a JSON Web Token (JWT) RFC 7519 for use as the value of the "state" parameter.

More Information#

There might be more information for this subject on one of the following:
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!