如何在OIDC授权流程中使用状态参数以预防XSRF/CSRF的RESTful服务。

huangapple go评论67阅读模式
英文:

How to use state parameter in RESTful services for XSRF/CSRF prevention with OIDC auth flow

问题

页面https://developers.google.com/identity/openid-connect/openid-connect建议我们如何在服务中保持状态,以便在从OP获取授权码后检索并稍后验证它。但是如何在一个状态无关的RESTful服务中保持状态呢?请帮忙。

像request.session().attribute("state", state)这样的代码在这里行不通。我正在使用.NET Core WebAPI进行服务开发,以及JavaScript进行UI开发。

英文:

The page https://developers.google.com/identity/openid-connect/openid-connect advises how can we maintain state in session on the service for retrieving it and validating later once we obtain auth code from OP.
But how to do maintain state in a RESTful service which is stateless ? Please help.

Code like request.session().attribute("state", state) wont work there.
I am using .net core webapi for services and JavaScript for UI development

答案1

得分: 1

你可以将状态保存在加密的 cookie 中,例如。在 ASP.NET Core 中,会话 cookie 中存储的数据是使用数据保护 API 进行加密的。

但总体而言,你应该使用内置的专用 Google 身份验证处理程序,如此处所述:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-7.0
然后一切都会为你处理。

英文:

You can save the state in an encrypted cookie, for example. And in ASP.NET Core, the data stored in the session cookie is encrypted using the Data Protection API.

But in general, you should use the built-in dedicated Google authentication handler, as described here:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-7.0
Then it is all handled for you.

答案2

得分: 0

所以,这就是我做的事情。我创建了一个端点,在重定向到 OP 之前调用它以生成状态,并返回一个仅限 HTTP 的 cookie。接下来,当我进行服务调用(比如)以检索授权码的令牌时,我传递从 URL 检索的状态和仅限 HTTP 的 cookie 给服务。服务端点验证从 cookie 中获取的状态和在请求主体中传递的状态是否相等。如果相同,那么一切正常,否则它拒绝该请求。

英文:

So, this is what I did. I created an end point which I invoke (before redirecting to OP) to generate the state and also return an http only cookie. Next when I make a service call (like) to retrieve token for authcode I pass state (retrieved from URL) and the httponly cookie to the service. The service EP validates that the state obtained from the cookie and the one passed in the body are equal. If its same then we are good otherwise it rejects that request.

huangapple
  • 本文由 发表于 2023年4月4日 07:48:53
  • 转载请务必保留本文链接:https://go.coder-hub.com/75924505.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定