[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu May 11 01:29:00 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675
--- Comment #3 from David Cook <dcook at prosentient.com.au> ---
(In reply to Tomás Cohen Arazi from comment #1)
> This is a recommended openid-connect parameter [1] and OAuth2 integrations
> seem to require it [2], but I'm not sure if it should be enforced. Basically
> because I don't know all the IdPs around.
It looks like OAuth2 also only recommends it:
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
However, the specs do say that the "state" parameter is required in the
Authorization Response if it was included in the Authorization Request:
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2
I suspect that most IdPs should support "state" if they want to be spec
compliant, although I suppose there's no guarantee. I've certainly dealt with 1
non-compliant IdP in the past, although that was nearly 10 years ago now.
If we are worried, I think we could make using "state" optional in terms of
whether or not to send it, but... I think it should be all right.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list