CSRF protection in Authorization endpoint #60
Description
As far a I can tell there is no CSRF protection for the Authorization endpoint, yet this is mandated by https://tools.ietf.org/html/rfc6749#section-10.12:
A CSRF attack against the authorization server's authorization
endpoint can result in an attacker obtaining end-user authorization
for a malicious client without involving or alerting the end-user.
The authorization server MUST implement CSRF protection for its
authorization endpoint and ensure that a malicious client cannot
obtain authorization without the awareness and explicit consent of
the resource owner.