Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-166 OAuth2 Documentation for 7.1.0 Release
  3. OAUTH2-204

DOC: Advise remote app developers to use "state" to prevent CSRF attack in Authorization Code flow

    Details

    • Type: Sub-Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      When using Authorization Code flow it's important to prevent CSRF attack as described inĀ OAUTH2-189.

      The request to the authorization code endpoint should include state parameter that should be checked when receiving code on "redirectURI".

      Example:

      1. Call OAuth2 Endpoint with state parameter contaning CSRF token
        /o/oauth2/authorize?client_id=myClientId&response_type=code&redirect_uri=https://my-site/oauth2-redirect&state=some-one-time-nonce
      2. Check the state parameter when received authorization code in the redirect URI endpoint:
        https://my-site/oauth2-redirect?state=some-one-time-nonce&code=...

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package