OAuth2.0服务器堆栈如何使用状态来防止CSRF?适用于draft2.0 v20 [英] OAuth2.0 Server stack how to use state to prevent CSRF? for draft2.0 v20

问题描述

我正在使用用于OAuth2.0 v20的PHP库

在草稿20中，有提到了使用状态来防止CSRF

到目前为止，我自己的实现此PHP库的Web应用程序允许以下操作:

So far, my own web app that implements this PHP library allows the following:

1. 使用授权码请求进行三段式身份验证
2. 使用资源所有者凭证授予的两足式身份验证
3. 一个刷新访问令牌的请求

1. 3 legged authentication using Authorization Code Request
2. 2 legged authentication using Resource Owner Credentials Grant
3. a Request that refreshes an access token

在上述三种情况下，我都需要使用状态吗?

Do I need to use state for all of the 3 situations above?

如果是这样，状态"的一个好例子是什么?

If so, what is a good example of "state"?

什么才是好的状态"?

任何理想的长度?有最小长度吗?有最大长度吗?

Any ideal length? Any minimum length? Any maximum length?

有理想的妆容吗?字母数字包括大写字母吗?

Any ideal makeup? alphanumeric including upper case?

推荐答案

仅适用于#1 –使用授权代码流的三足式 authorization .

Just for #1 -- 3-legged authorization using Authorization Code flow.

当您的应用程序将授权代码交换为访问令牌时，您要确保导致提供所提供授权代码的OAuth流实际上是由合法用户发起的.因此，在客户端应用程序通过将用户重定向到提供程序开始OAuth流之前，客户端应用程序会创建一个随机状态值，通常将其存储在服务器端会话中.然后，当用户完成OAuth流程时，您检查以确保状态值与存储在用户服务器端会话中的值匹配，这表明用户已启动OAuth流程.

When your application exchanges the authorization code for an access token, you want to be sure that the OAuth flow which resulted in the authorization code provided was actually initiated by the legitimate user. So, before the client application kicks off the OAuth flow by redirecting the user to the provider, the client application creates a random state value and typically store it in a server-side session. Then, as the user completes the OAuth flow, you check to make sure state value matches the value stored in the user's server-side session-- as that indicates the user had initiated the OAuth flow.

状态值通常应为伪随机不可猜测值.可以使用PHP中的rand()函数将一个简单的值生成为int，尽管您也可以变得更加复杂以提供更大的保证.

A state value should typically be a pseudo-random unguessable value. A simple value can be generated as an int with the rand() function in PHP, though you could get more complex as well to provide greater assurance.

这种状态的存在是为了防止类似我这样的事情通过电子邮件向您发送包含我的帐户授权码的链接，您单击该链接，然后应用程序会将您不知道的所有数据推送到我的帐户中.

The state exists to prevent things like me sending you a link via e-mail which contains an authorization code for my account, you clicking on it and the application pushing all the data into my account unbeknownst to you.

OAuth 2.0威胁模型文档中有一些其他信息: http://tools.ietf.org/html/draft-ietf -oauth-v2-threatmodel-00

Some additional information is in the OAuth 2.0 threat model document: http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00

尤其是，请参阅有关CSRF保护的部分: http://tools.ietf.org/html/draft -ietf-oauth-v2-26#section-10.12

In particular, see the section on CSRF protection: http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-10.12

这篇关于OAuth2.0服务器堆栈如何使用状态来防止CSRF?适用于draft2.0 v20的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！