Menu
Not sure what kind of CSRF attack prevents the "state" parameter in OpenID Connect server flow. Could someone give me an example?
867
It prevents an attack where the attacker produces a fake authentication response, e.g. as part of the Basic Client Profile by sending a code to the Client's redirect URI.
(or thermodynamic property), a physical quantity that characterizes the state of a thermodynamic system. Examples of parameters of state are temperature, pressure, specific volume, magnetization, and electric polarization.
Traditionally, the state parameter is used to provide protection against Cross-Site Request Forgery (CSRF) attacks on OAuth. The newer mechanisms PKCE (RFC7636) and the OpenID Connect parameter nonce not only protect against CSRF, but they also provide some level of protection against Code Injection attacks.
For an ASP.NET or ASP.NET CORE web application using OpenID Connect OWIN middleware, the ‘state’ parameter is maintained automatically by the middleware when sending out an authentication request as followed.
The code flow has two steps: Code flow: Step 1 The RP initiates user authentication by redirecting the browser to the OAuth 2.0 authorisation endpoint of the OpenID Provider. The OpenID authentication request is essentially an OAuth 2.0 authorisation request to access the user's identity, indicated by an openid value in the scope parameter.
The recommended way to achieve this is to use the ‘state’ parameter as defined in the OpenID Connect standards. Also mentioned in our documentation, the ‘state’ parameter is used for both preventing cross-site request forgery attacks and to maintain user’s state before authentication request occurs:
10.1 How is OpenID Connect related to OAuth 2.0? OAuth 2.0 is a framework for obtaining access tokens for protected resources such as web APIs. OpenID Connect utilises the OAuth 2.0 semantics and flows to allow clients (relying parties) to access the user's identity, encoded in a JSON Web Token (JWT) called ID token.
It prevents an attack where the attacker produces a fake authentication response, e.g. as part of the Basic Client Profile by sending a code to the Client's redirect URI. For example: after phishing the user an attacker could inject a stolen code that would be associated with the current user in this way. The state correlates request and response so an unsolicited crafted response is not possible without knowing the state parameter that was used in the request.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
