Problem Statement
A malicious OAuth client could attempt to alter the requested scopes between the initial authorization request and the user's consent submission if the state is not cryptographically bound.
Technical Approach
Ensure that the consent submission validates the original requested scopes temporarily stored in Redis against a cryptographically secure consent_challenge token.
Acceptance Criteria
- Users cannot grant scopes that were not explicitly requested in the initial
/authorize step.
- The consent flow strictly honors the initial request parameters.
Problem Statement
A malicious OAuth client could attempt to alter the requested scopes between the initial authorization request and the user's consent submission if the state is not cryptographically bound.
Technical Approach
Ensure that the consent submission validates the original requested scopes temporarily stored in Redis against a cryptographically secure
consent_challengetoken.Acceptance Criteria
/authorizestep.