earaujoassis
commented
8 years ago The RFC 6749 doesn't state that the client application should send a state attribute when requesting a token session, after the authorization step (https://tools.ietf.org/html/rfc6749#section-4.1). Thus we're not implementing the following requirement for the version 0.1.0.
stateattribute in the authorisation process, we should track thatstateand send it back to the client application and make sure it is the same across the whole authentication/authorisation process.