You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed a flaw in your implementation of AuthCode and Implicit grant. When you redirect back to the client URL with an error code and message, you do not pass back the "state" parameter that was passed to the authorization URL. RFC 6749 clearly states that you should do so in sections 4.1.2.1 and 4.2.2.1 (c.f. https://tools.ietf.org/html/rfc6749#section-4.1.2.1).
Not passing back the "state" parameter means that clients must eitheir implicitely trust your error messages (which can be dangerous) or flag your response as a possible CSRF attack (thus ignoring your error message).
Suggestion: Make the various constructors of OAuthServerException optionally accept a "state" parameter which is then appended to the redirect URI, and pass the appropriate value whenever the AuthCodeGrant and ImplicitGrant classes throw this exception.
The text was updated successfully, but these errors were encountered:
Well it's very easy, just deny the permissions. Your highlight only runs if the authorization request is approved. If it is not approved, line 336 of the very same file creates an error response that doesn't include the state.
If you want, I can submit a PR to fix the issue, I think I have a pretty good idea of how to fix it.
Hello,
I noticed a flaw in your implementation of AuthCode and Implicit grant. When you redirect back to the client URL with an error code and message, you do not pass back the "state" parameter that was passed to the authorization URL. RFC 6749 clearly states that you should do so in sections 4.1.2.1 and 4.2.2.1 (c.f. https://tools.ietf.org/html/rfc6749#section-4.1.2.1).
Not passing back the "state" parameter means that clients must eitheir implicitely trust your error messages (which can be dangerous) or flag your response as a possible CSRF attack (thus ignoring your error message).
Suggestion: Make the various constructors of OAuthServerException optionally accept a "state" parameter which is then appended to the redirect URI, and pass the appropriate value whenever the AuthCodeGrant and ImplicitGrant classes throw this exception.
The text was updated successfully, but these errors were encountered: