Add CSRF protection?

[callahad]

Dubious as to the value in the case of the RP -- a malicious actor could just hit /auth on the Broker directly to initiate a login... but at least it wouldn't consume as many cycles on the RP?

...but probably still a good idea.

[vr2262]

I just ran into this when creating a dummy application using Tornado. Is there any security risk with disabling the CSRF protection on the /verify endpoint? Or is there some way to have the response from the broker include an _xsrf argument that I supply?

[stephank]

Sorry for the very late update on this. I think this is simply a docs issue, so we can make this issue about improving docs. (Feel free to unsub if this is noise.)

There is no issue with disabling CSRF for the redirect_uri, because the authentication process contains a similar token already (the nonce). The original issue description no longer applies; a malicious actor cannot perform a successful login by using /auth directly.