security - What prevents the "state" parameter in OpenID Connect server flow? -
not sure kind of csrf attack prevents "state" parameter in openid connect server flow. give me example?
it prevents attack attacker produces fake authentication response, e.g. part of basic client profile sending code client's redirect uri. example: after phishing user attacker inject stolen code associated current user in way. state correlates request , response unsolicited crafted response not possible without knowing state parameter used in request.
Comments
Post a Comment