問題描述

我正在使用 OAuth2.0 v20 的 PHP 庫

在draft20中，有一個提及使用狀態防止CSRF

In draft20, there is a mention of the use of state to prevent CSRF

到目前為止，我自己的實現此 PHP 庫的 Web 應用程序允許以下內容:

So far, my own web app that implements this PHP library allows the following:

1. 使用授權碼請求的三足認證
2. 使用資源所有者憑據的 2 條腿身份驗證授予
3. 刷新訪問令牌的請求

我是否需要在上述 3 種情況下都使用 state?

Do I need to use state for all of the 3 situations above?

如果是這樣，狀態"的好例子是什么?

If so, what is a good example of "state"?

什么是好的狀態"?

任何理想的長度?有最小長度嗎?有最大長度嗎?

Any ideal length? Any minimum length? Any maximum length?

有什么理想的妝容嗎?包括大寫的字母數字?

Any ideal makeup? alphanumeric including upper case?

推薦答案

Just for #1 -- 3-legged authorization 使用授權碼流.

Just for #1 -- 3-legged authorization using Authorization Code flow.

當您的應用程序交換訪問令牌的授權代碼時，您希望確保生成授權代碼的 OAuth 流實際上是由合法用戶發起的.因此，在客戶端應用程序通過將用戶重定向到提供者來啟動 OAuth 流程之前，客戶端應用程序會創建一個隨機狀態值并將其存儲在服務器端會話中.然后，當用戶完成 OAuth 流程時，您會檢查以確保狀態值與存儲在用戶服務器端會話中的值匹配——因為這表明用戶已啟動 OAuth 流程.

When your application exchanges the authorization code for an access token, you want to be sure that the OAuth flow which resulted in the authorization code provided was actually initiated by the legitimate user. So, before the client application kicks off the OAuth flow by redirecting the user to the provider, the client application creates a random state value and typically store it in a server-side session. Then, as the user completes the OAuth flow, you check to make sure state value matches the value stored in the user's server-side session-- as that indicates the user had initiated the OAuth flow.

狀態值通常應該是一個偽隨機不可猜測的值.可以使用 PHP 中的 rand() 函數生成一個簡單的值作為 int 值，但您也可以變得更復雜以提供更大的保證.

A state value should typically be a pseudo-random unguessable value. A simple value can be generated as an int with the rand() function in PHP, though you could get more complex as well to provide greater assurance.

狀態的存在是為了防止諸如我通過電子郵件向您發送包含我帳戶授權碼的鏈接，您點擊它，應用程序將所有數據推送到您不知情的我的帳戶中.

The state exists to prevent things like me sending you a link via e-mail which contains an authorization code for my account, you clicking on it and the application pushing all the data into my account unbeknownst to you.

OAuth 2.0 威脅模型文檔中提供了一些其他信息:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-00

Some additional information is in the OAuth 2.0 threat model document: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-00

特別是，請參閱有關 CSRF 保護的部分:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-10.12

In particular, see the section on CSRF protection: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-10.12

這篇關于OAuth2.0 Server stack如何使用state來防止CSRF?對于draft2.0 v20的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！