hi Andrei, AFAIU session cookie management is beyond the scope of the OAuth2 specification.
regards antonio On Apr 24, 2014, at 6:39 PM, Andrei Shakirin <[email protected]> wrote: > Hi, > > My name is Andrei Shakirin, I am working with OAuth2 implementation in Apache > CXF project. > Could you please help me to verify my understanding regarding of using > session cookies in OAuth2 flow. > OAuth2 specification mentions session cookies in: > 1) Section 3.1. Authorization Endpoint as possible way to authenticate > resource owner against authorization server > 2) Section 10.12. Cross-Site Request Forgery as possible attack where > end-user follows a malicious URI to a trusting server including a valid > session cookie > > My current understanding is: > a) using sessions between user-agent and authorization server is optional and > authorization server is not obligated to keep user state (in case if > user-agent provide authentication information with every request). > b) in case if sessions are used (because of any reasons), authorization > server have to care about additional protection like hidden form fields in > order to uniquely identify the actual authorization request. > > Is this correct? > > Regards, > Andrei. > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
