Can't validate, but can sanitize.
EH
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Andrew Arnott
Sent: Sunday, February 19, 2012 7:36 AM
To: OAuth WG (oauth@ietf.org)
Subject: [OAUTH-WG] How an AS can validate the state parameter?
From section 10.14: (draft 23
From section 10.14: (draft 23)
The Authorization server and client MUST validate and sanitize any value
received, and in particular, the value of the state and redirect_uri
parameters.
Elsewhere in the spec the AS is instructed to exactly preserve the state
and to consider it an opaque
