> Note that this is true of the web app profile as well. Garden variety
> XSRF protection using wrap_client_state can be used to prevent the
> attack if it's a concern.
>
In the web app profile, a Client can be guaranteed that once it has
gotten an access token + refresh token it actually has a real one (due
to the TLS when communicating with the Access Token URL). In the
alternate flow that we're discussing here, the Client won't know until
it actually tries to use the Access Token to retrieve a resource.
You are absolutely correct that in both flows a secure client state
could be used to prevent XSRF, but in the former, the Access Token URL
process provides a guarantee irrespective of whether the Client
provides a secure client state. As I mentioned above, I don't think
that it's necessarily a bad thing that a Client could receive a
spoofed Access Token, however, the spec should call this out and be
clear on how this situation should be handled. Do you agree?
Thanks,
Steve