dsvjmc0907
2016-02-22 15:59
浏览 64
已采纳

什么时候在oauth2中随机化身份验证代码/状态?

According to the docs at https://www.godoc.org/golang.org/x/oauth2#Config.AuthCodeURL

...State is a token to protect the user from CSRF attacks. You must always provide a non-zero string...

and at http://tools.ietf.org/html/rfc6749#section-10.12

...any request sent to the redirection URI endpoint to include a value that binds the request...

Yet this is specifically at the part in the flow when there is no session data, i.e. the user has not logged in and the auth code is only generated upon showing the anonymous page.

How then can this value be randomized and compared upon callback? Is it a static value randomized per server?

图片转代码服务由CSDN问答提供 功能建议

根据 https://www.godoc.org/golang.org/x/oauth2#Config.AuthCodeURL

...状态是保护用户免受CSRF攻击的令牌。 您必须始终提供一个非零的字符串...

,并且在 http://tools.ietf.org/html/rfc6749#section-10.12

... 发送到重定向URI终结点的任何请求都包括绑定请求的值...

但是,这特别是在没有流的情况下 会话数据,即用户尚未登录,并且仅在显示匿名页面时才生成身份验证代码。

然后如何随机化此值并在回调时进行比较? 是每个服务器随机分配的静态值吗?

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • douyi9705 2016-02-22 16:32
    已采纳

    state

    RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.

    RFC 6749

    You use state to identify that the callback from the authorization server matches the request sent. If there wasn't state a attacker could just call your callback url with a random access token that you didn't request. With state you know that the called callback is in response to the request you made.

    So you randomize state per request that you sent and track it until you receive the matching callback. It can be anything you want as long as it can't be guessed.

    A simple approach would be leveraging rand.Reader and base64 encoding the result:

    func state(n int) (string, error) {
        data := make([]byte, n)
        if _, err := io.ReadFull(rand.Reader, data); err != nil {
            return "", err
        }
        return base64.StdEncoding.EncodeToString(data), nil
    }
    
    已采纳该答案
    打赏 评论

相关推荐 更多相似问题