dsvjmc0907 2016-02-22 15:59
浏览 65
已采纳

什么时候在oauth2中随机化身份验证代码/状态?

According to the docs at https://www.godoc.org/golang.org/x/oauth2#Config.AuthCodeURL

...State is a token to protect the user from CSRF attacks. You must always provide a non-zero string...

and at http://tools.ietf.org/html/rfc6749#section-10.12

...any request sent to the redirection URI endpoint to include a value that binds the request...

Yet this is specifically at the part in the flow when there is no session data, i.e. the user has not logged in and the auth code is only generated upon showing the anonymous page.

How then can this value be randomized and compared upon callback? Is it a static value randomized per server?

  • 写回答

1条回答 默认 最新

  • douyi9705 2016-02-22 16:32
    关注

    state

    RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.

    RFC 6749

    You use state to identify that the callback from the authorization server matches the request sent. If there wasn't state a attacker could just call your callback url with a random access token that you didn't request. With state you know that the called callback is in response to the request you made.

    So you randomize state per request that you sent and track it until you receive the matching callback. It can be anything you want as long as it can't be guessed.

    A simple approach would be leveraging rand.Reader and base64 encoding the result:

    func state(n int) (string, error) {
    data := make([]byte, n)
    if _, err := io.ReadFull(rand.Reader, data); err != nil {
        return "", err
    }
    return base64.StdEncoding.EncodeToString(data), nil
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 nginx的使用与作用
  • ¥100 关于#VijeoCitect#的问题,如何解决?(标签-ar|关键词-数据类型)
  • ¥30 数字信号处理实验报告
  • ¥15 一个矿井排水监控系统的plc梯形图,求各程序段都是什么意思
  • ¥15 ensp路由器启动不了一直报#
  • ¥50 安卓10如何在没有root权限的情况下设置开机自动启动指定app?
  • ¥15 ats2837 spi2从机的代码
  • ¥200 wsl2 vllm qwen1.5部署问题
  • ¥100 有偿求数字经济对经贸的影响机制的一个数学模型,弄不出来已经快要碎掉了
  • ¥15 数学建模数学建模需要