Hi Antonio, Thanks for your quick answer. Important for me is that OAuth2 doesn't force to store client or user-agent states in the authorization server, so authorization server can be stateless and is not obligated to introduce the sessions at all.
Regards, Andrei. > -----Original Message----- > From: Antonio Sanso [mailto:[email protected]] > Sent: Freitag, 25. April 2014 09:02 > To: Andrei Shakirin > Cc: [email protected] > Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow > > hi Andrei, > > AFAIU session cookie management is beyond the scope of the OAuth2 > specification. > > regards > > antonio > > On Apr 24, 2014, at 6:39 PM, Andrei Shakirin <[email protected]> wrote: > > > Hi, > > > > My name is Andrei Shakirin, I am working with OAuth2 implementation in > Apache CXF project. > > Could you please help me to verify my understanding regarding of using > session cookies in OAuth2 flow. > > OAuth2 specification mentions session cookies in: > > 1) Section 3.1. Authorization Endpoint as possible way to authenticate > resource owner against authorization server > > 2) Section 10.12. Cross-Site Request Forgery as possible attack where end- > user follows a malicious URI to a trusting server including a valid session > cookie > > > > My current understanding is: > > a) using sessions between user-agent and authorization server is optional > > and > authorization server is not obligated to keep user state (in case if > user-agent > provide authentication information with every request). > > b) in case if sessions are used (because of any reasons), authorization > > server > have to care about additional protection like hidden form fields in order to > uniquely identify the actual authorization request. > > > > Is this correct? > > > > Regards, > > Andrei. > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
