OAuth2.0 Server stack如何使用state来防止CSRF?对于draft2.0 v20
我正在使用 OAuth2.0 v20 的 PHP 库
在draft20中,有一个提及使用状态防止CSRF
In draft20, there is a mention of the use of state to prevent CSRF
到目前为止,我自己的实现此 PHP 库的 Web 应用程序允许以下内容:
So far, my own web app that implements this PHP library allows the following:
- 使用授权码请求的三足认证
- 使用资源所有者凭据的 2 条腿身份验证授予
- 刷新访问令牌的请求
我是否需要在上述 3 种情况下都使用 state?
Do I need to use state for all of the 3 situations above?
如果是这样,状态"的好例子是什么?
If so, what is a good example of "state"?
什么是好的状态"?
任何理想的长度?有最小长度吗?有最大长度吗?
Any ideal length? Any minimum length? Any maximum length?
有什么理想的妆容吗?包括大写的字母数字?
Any ideal makeup? alphanumeric including upper case?
推荐答案
Just for #1 -- 3-legged authorization 使用授权码流.
Just for #1 -- 3-legged authorization using Authorization Code flow.
当您的应用程序交换访问令牌的授权代码时,您希望确保生成授权代码的 OAuth 流实际上是由合法用户发起的.因此,在客户端应用程序通过将用户重定向到提供者来启动 OAuth 流程之前,客户端应用程序会创建一个随机状态值并将其存储在服务器端会话中.然后,当用户完成 OAuth 流程时,您会检查以确保状态值与存储在用户服务器端会话中的值匹配——因为这表明用户已启动 OAuth 流程.
When your application exchanges the authorization code for an access token, you want to be sure that the OAuth flow which resulted in the authorization code provided was actually initiated by the legitimate user. So, before the client application kicks off the OAuth flow by redirecting the user to the provider, the client application creates a random state value and typically store it in a server-side session. Then, as the user completes the OAuth flow, you check to make sure state value matches the value stored in the user's server-side session-- as that indicates the user had initiated the OAuth flow.
状态值通常应该是一个伪随机不可猜测的值.可以使用 PHP 中的 rand() 函数生成一个简单的值作为 int 值,但您也可以变得更复杂以提供更大的保证.
A state value should typically be a pseudo-random unguessable value. A simple value can be generated as an int with the rand() function in PHP, though you could get more complex as well to provide greater assurance.
状态的存在是为了防止诸如我通过电子邮件向您发送包含我帐户授权码的链接,您点击它,应用程序将所有数据推送到您不知情的我的帐户中.
The state exists to prevent things like me sending you a link via e-mail which contains an authorization code for my account, you clicking on it and the application pushing all the data into my account unbeknownst to you.
OAuth 2.0 威胁模型文档中提供了一些其他信息:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-00
Some additional information is in the OAuth 2.0 threat model document: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-00
特别是,请参阅有关 CSRF 保护的部分:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-10.12
In particular, see the section on CSRF protection: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-10.12
相关文章