State parameter

CSRF attacks

There is the opportunity with an OAuth2.0 authorization flow for a Cross-Site Request Forgery (CSRF) attack. This is where an attacker compromises the redirect URL and gains access to the user-protected data.

A CSRF attack is easily mitigated with the state parameter, a client-provided value such as an encoded session id. It is provided with the initial Authorization URI and returned via the redirect URI and Authorization code.

This client-provided value can then be compared to ensure it was the original request and a CSRF attack is not being attempted. If the values don't match the Client should reject the client.

Use of the state parameter is not required. Although it is highly recommended to maintain a high level of security


Cross-Site Request Forgery

For a detailed description of CSRF, go to RFC-6749

Using State parameter

  1. Generate a unique string for each user / request. Save to client
  2. Build Authorization URL using State parameter{client_id}&redirect_uri={redirect_uri}&scope=read+write&response_type=code&state={unqiue_state}
  3. Redirect user to Authorization URL
  4. On redirect catch verify State in URL is equal to state provided in step 1.