...
TBS - what do do when responding with other than a 403
...
| Anchor | ||||
|---|---|---|---|---|
|
If the client is concerned about HTTP parameter substitution of the ticket value after an end-user requesting party is redirected back after claims gathering, it can verify that the ticket initially sent to the authorization server is the same value that is subsequently returned by the authorization server. To verify that the ticket is the same in a stateless fashion, the client can send the ticket value in the state parameter, ideally in encrypted form, and then compare them on receiving the response from the authorization server.
...
| Anchor | ||||
|---|---|---|---|---|
|
...