Can't validate, but can sanitize. EH
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Andrew Arnott Sent: Sunday, February 19, 2012 7:36 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] How an AS can validate the state parameter? >From section 10.14: (draft 23) The Authorization server and client MUST validate and sanitize any value received, and in particular, the value of the state and redirect_uri parameters. Elsewhere in the spec the AS is instructed to exactly preserve the state and to consider it an opaque value. How then, can an AS validate and sanitize the state parameter? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth