Regardless of what state actually is, the documentation (also the one for OIDC) should make clear that the same state should not be sent to two different AS, and that a state issued for AS #1 should be invalid for AS #2.
Am 10.05.2016 um 09:31 schrieb Anthony Nadalin: > STATE can be anything, it does not have to be a NONCE so changing this > would cause issues at this time for existing deployments > > > > *From:*OAuth [mailto:[email protected]] *On Behalf Of *Nat Sakimura > *Sent:* Monday, May 9, 2016 7:34 PM > *To:* Guido Schmitz <[email protected]>; [email protected] > *Subject:* Re: [OAUTH-WG] Multi-AS State Re-Use > > > > As far as I am aware of, state was meant to be nonce. Replay possibility > etc. were known. It is probably a bad documentation that every reviewers > missed because they were assuming it. -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
