OAuth授权请求中'state'参数的用途是什么 [英] What is the purpose of the 'state' parameter in OAuth authorization request
问题描述
在 OAuth 中,初始授权请求有一个 state 参数.显然它是出于安全原因,但我真的不明白它保护什么......例如,GitHub上这个参数的说明是:
In OAuth, the initial authorization request has a state parameter. Apparently it's there for security reasons, but I don't really understand against what it protects... For instance, on GitHub the description of this parameter is:
不可猜测的随机字符串.它用于防止跨站点请求伪造攻击.
An unguessable random string. It is used to protect against cross-site request forgery attacks.
据我所知,授权请求中的状态只是作为参数传递给重定向 URL,如下所示:
From what I can see, the state from the authorization request is just passed as a parameter to the redirect URL like this:
http://<redirect_url>?code=17b1a8df59ddd92c5c3b&state=a4e0761e-8c21-4e20-819d-5a4daeab4ea9
有人能解释一下这个参数的确切用途吗?
Could someone explain the exact purpose of this parameter?
推荐答案
state 参数用于防止 XSRF.您的应用程序生成一个随机字符串并使用 state 参数将其发送到授权服务器.授权服务器发回状态参数.如果两个状态相同 => OK.如果状态参数不同,则是其他人发起了请求.
The state parameter is used to protect against XSRF. Your application generates a random string and send it to the authorization server using the state parameter. The authorization server send back the state parameter. If both state are the same => OK. If state parameters are differents, someone else has initiated the request.
来自 Google 的示例可能更清晰:https://developers.google.com/accounts/docs/OAuth2Login?hl=fr#createxsrftoken
The example from Google is maybe clearer: https://developers.google.com/accounts/docs/OAuth2Login?hl=fr#createxsrftoken
这篇关于OAuth授权请求中'state'参数的用途是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
