是什么阻止了“状态"的产生? OpenID Connect服务器流中的参数? [英] What prevents the "state" parameter in OpenID Connect server flow?

问题描述

不确定哪种CSRF攻击会阻止OpenID Connect服务器流中的状态"参数.有人可以给我一个例子吗?

Not sure what kind of CSRF attack prevents the "state" parameter in OpenID Connect server flow. Could someone give me an example?

推荐答案

它可以防止攻击者产生虚假的身份验证响应(例如，通过向客户端的重定向URI发送code作为基本客户端配置文件的一部分.例如:仿冒用户后，攻击者可以以这种方式注入将与当前用户关联的被盗code. state将请求和响应相关联，因此，在不知道请求中使用的state参数的情况下，无法进行未经请求的精心设计的响应.

It prevents an attack where the attacker produces a fake authentication response, e.g. as part of the Basic Client Profile by sending a code to the Client's redirect URI. For example: after phishing the user an attacker could inject a stolen code that would be associated with the current user in this way. The state correlates request and response so an unsolicited crafted response is not possible without knowing the state parameter that was used in the request.

这篇关于是什么阻止了“状态"的产生? OpenID Connect服务器流中的参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！