Security issue: state parameter missing in redirect URL

[islamazhar]

Hi,

I am a bit concern while using the projects's code for my own microservice because I noticed that the state parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].

The following code snippet is what I am talking about which is from getAccessToken method in ApiController rest controller class where parameters of the redirect URL such as code, grant_type, redirect_uri, scope are constructed.

// zlt-demo/sso-demo/web-sso/src/main/java/com/sso/demo/controller/ApiController.java

    param.add("code", code);
    param.add("grant_type", "authorization_code");
    param.add("redirect_uri", redirectUri);
    param.add("scope", "app"); 

I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.

References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery

[zlt2000]

Thank you for your suggestion! Increasing the state parameter can effectively prevent CSRF attacks.

But my demo is just a simple sso demonstration. The simplest way to demonstrate the entire sso interaction process does not need to consider CSRF attacks.

[islamazhar]

Thank you for your response. I am closing the issue.