Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF protection in Authorization endpoint #60

Open
FreekPaans opened this issue Apr 24, 2016 · 0 comments
Open

CSRF protection in Authorization endpoint #60

FreekPaans opened this issue Apr 24, 2016 · 0 comments

Comments

@FreekPaans
Copy link

FreekPaans commented Apr 24, 2016
edited
Loading

As far a I can tell there is no CSRF protection for the Authorization endpoint, yet this is mandated by https://tools.ietf.org/html/rfc6749#section-10.12:

   A CSRF attack against the authorization server's authorization
   endpoint can result in an attacker obtaining end-user authorization
   for a malicious client without involving or alerting the end-user.

   The authorization server MUST implement CSRF protection for its
   authorization endpoint and ensure that a malicious client cannot
   obtain authorization without the awareness and explicit consent of
   the resource owner.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FreekPaans