Skip to content

OAuth Consent Screen Scope Injection #153

Description

@roshankumar0036singh

Problem Statement

A malicious OAuth client could attempt to alter the requested scopes between the initial authorization request and the user's consent submission if the state is not cryptographically bound.

Technical Approach

Ensure that the consent submission validates the original requested scopes temporarily stored in Redis against a cryptographically secure consent_challenge token.

Acceptance Criteria

  • Users cannot grant scopes that were not explicitly requested in the initial /authorize step.
  • The consent flow strictly honors the initial request parameters.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions