oauth2-demo-php icon indicating copy to clipboard operation
oauth2-demo-php copied to clipboard

Published 20 hours ago verified publisher icon bshaffer

CSRF protection in Authorization endpoint

Open FreekPaans opened this issue 8 years ago • 0 comments

As far a I can tell there is no CSRF protection for the Authorization endpoint, yet this is mandated by https://tools.ietf.org/html/rfc6749#section-10.12:

   A CSRF attack against the authorization server's authorization
   endpoint can result in an attacker obtaining end-user authorization
   for a malicious client without involving or alerting the end-user.

   The authorization server MUST implement CSRF protection for its
   authorization endpoint and ensure that a malicious client cannot
   obtain authorization without the awareness and explicit consent of
   the resource owner.

FreekPaans avatar Apr 24 '16 10:04 FreekPaans