Announcement Announcement Module
No announcement yet.
ProviderSignInController and the state parameter to prevent CSRF during OAuth2 dance Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • ProviderSignInController and the state parameter to prevent CSRF during OAuth2 dance

    Facebook authentication documentation (Last section in indicates that a state parameter should be passed through and validated during the OAuth2 dance as a security precaution.

    I don't see that the ProviderSignInController accomplishes this. Is this ability built into spring social? If yes, how do I configure it to send and confirm the state parameter. If not, how do I minimally accomplish it (and will a future release provide this functionality)?

    Thanks in advance for the replies.

  • #2
    Your correct in saying that Spring Social's controllers do not directly support this. I've created to track this work. Thanks for bringing this to my attention.

    Note that the connection and sign-in controllers are generic and support providers other than Facebook. Therefore, this is not a simple matter of sending state and then comparing in after the redirect. If I were to naively implement it that way, then connection flows for providers who do not support this mechanism would fail. Therefore, I'll need to set aside some time to see what, if any, CSRF protection other providers offer and design the work such that it provides protection for those who do support it and flows freely for those who don't.


    • #3
      Thank you for your response, Craig.


      • #4
        Any updates on this ?


        • #5
          I'm sorry to say that I've not had a chance to attack this yet. It's still on the roadmap for the next milestone release, though. Once I break away from some other tasks that are on my plate, I'll get started on this one.


          • #6
            I am also stuck at the same issue. I need to implement the state parameter through Spring social for FB.
            It seems we need to just add the "state" in ConnectSupport.getOAuth2Parameters method (after we set the scope parameter) where the Oauth2Parameters are set.
            Please let us know when we can get this fix/ feature.


            • #7
              any update on this ?

              I can see a commit on GIT

              Craig Walls SOCIAL-299: Pass and receive state parameter in OAuth2 flow.

              Is this working now ? When can we have this in a release ?