Protection from the CSRF attacks
Cross-Site Request Forgery (CSRF) attack in the OAuth 2.0 authorization flow can be effectively mitigated by using the state parameter. The state parameter is a client-generated value, often an encoded session identifier or a unique token, which is sent with the initial Authorization Request URI. This value is later returned to the client via the redirect URI alongside the authorization code.
Upon receiving the redirect URI, the client (your application) compares the returned state value with the one it originally sent. This ensures that the authorization request and response are part of the same interaction and that no malicious actor has tampered with the request. If the state values do not match, the client should reject the response and halt the authorization process.
Without this safeguard, there is a risk of a CSRF attack in the OAuth 2.0 authorization flow. Proper validation of the state parameter helps to prevent this type of vulnerability and ensures the integrity of the authorization flow.
Use of the state parameter is not required. Although it is highly recommended to maintain a high level of security
Cross-Site Request Forgery
For a detailed description of CSRF, go to RFC-6749
Using State parameter
- Generate a unique string for each user/request and save it so you can compare it with the one in the Redirect URI later.
- Build an Authorization URL with the state parameter:
https://app.pandadoc.com/oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&scope=read+write&response_type=code&state={unique_state} - Redirect the user to the Authorization URL.
- When the user is redirected back to your app, verify that the state parameter in the URL matches the state value you set in the original URL:
{redirect_uri}?state={unique_state}&code={authorization_code}