Security issue: `state` parameter missing in redirect URL
islamazhar opened this issue · comments
Hi,
I am a bit concern while using the projects's code for my own microservice because I noticed that the state
parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state
param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].
The following code snippet is what I am talking about which is from getAccessToken
method in ApiController
rest controller class where parameters of the redirect URL such as code
, grant_type
, redirect_uri
, scope
are constructed.
// zlt-demo/sso-demo/web-sso/src/main/java/com/sso/demo/controller/ApiController.java
param.add("code", code);
param.add("grant_type", "authorization_code");
param.add("redirect_uri", redirectUri);
param.add("scope", "app");
I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.
References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery
Thank you for your suggestion! Increasing the state
parameter can effectively prevent CSRF
attacks.
But my demo is just a simple sso
demonstration. The simplest way to demonstrate the entire sso
interaction process does not need to consider CSRF
attacks.
Thank you for your response. I am closing the issue.