Security issue: `state` parameter missing in redirect URL

Question

Security issue: `state` parameter missing in redirect URL

islamazhar opened this issue 4 years ago · comments

Hi,

I am a bit concern while using the projects's code for my own microservice because I noticed that the state parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].

The following code snippet is what I am talking about which is from getAccessToken method in ApiController rest controller class where parameters of the redirect URL such as code, grant_type, redirect_uri, scope are constructed.

// zlt-demo/sso-demo/web-sso/src/main/java/com/sso/demo/controller/ApiController.java


    param.add("code", code);
    param.add("grant_type", "authorization_code");
    param.add("redirect_uri", redirectUri);
    param.add("scope", "app");

I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.

References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery

zlt · Answer 1 · Mon May 18 2020 14:44:52 GMT+0800 (China Standard Time)

Thank you for your suggestion! Increasing the state parameter can effectively prevent CSRF attacks.

But my demo is just a simple sso demonstration. The simplest way to demonstrate the entire sso interaction process does not need to consider CSRF attacks.

Mazharul Islam · Answer 2 · Tue May 19 2020 11:30:48 GMT+0800 (China Standard Time)

Thank you for your response. I am closing the issue.