Hi, My name is Andrei Shakirin, I am working with OAuth2 implementation in Apache CXF project. Could you please help me to verify my understanding regarding of using session cookies in OAuth2 flow. OAuth2 specification mentions session cookies in: 1) Section 3.1. Authorization Endpoint as possible way to authenticate resource owner against authorization server 2) Section 10.12. Cross-Site Request Forgery as possible attack where end-user follows a malicious URI to a trusting server including a valid session cookie
My current understanding is: a) using sessions between user-agent and authorization server is optional and authorization server is not obligated to keep user state (in case if user-agent provide authentication information with every request). b) in case if sessions are used (because of any reasons), authorization server have to care about additional protection like hidden form fields in order to uniquely identify the actual authorization request. Is this correct? Regards, Andrei. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
