You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am a bit concern while using the projects's code for my own microservice because I noticed that the state parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].
The following code snippet is what I am talking about which is from getAccessToken method in ApiController rest controller class where parameters of the redirect URL such as code, grant_type, redirect_uri, scope are constructed.
I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.
Thank you for your suggestion! Increasing the state parameter can effectively prevent CSRF attacks.
But my demo is just a simple sso demonstration. The simplest way to demonstrate the entire sso interaction process does not need to consider CSRF attacks.
Hi,
I am a bit concern while using the projects's code for my own microservice because I noticed that the
state
parameter in redirect URL is missing.RFC 6749 strongly recommends the presence of the
state
param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].The following code snippet is what I am talking about which is from
getAccessToken
method inApiController
rest controller class where parameters of the redirect URL such ascode
,grant_type
,redirect_uri
,scope
are constructed.// zlt-demo/sso-demo/web-sso/src/main/java/com/sso/demo/controller/ApiController.java
I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.
References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery
The text was updated successfully, but these errors were encountered: