2

If I use the State parameter to control the RedirectURI as described here: "Why is Redirect URL Fully Qualified in Azure AD B2C?", wouldn't I be susceptible to Open Redirect Vulnerabilities?

Haven't I just moved the problem from the RedirectURI to the State parameter?

spottedmahn
  • 14,823
  • 13
  • 108
  • 178

2 Answers2

1

State parameter can be used to control redirection AFTER the app is launched again. The token will only go one place (as specified by the redirect URL). After that, the app is securely in control of the token, and can look at the state parameter to determine whether the user/token should be going to a different place. This is useful in various scenarios, like in the case where you are creating a news based app, and you need to know which article they attempted to sign in from. They will then be redirected back to that same article so that they can continue reading.

Parakh
  • 1,202
  • 7
  • 16
  • 2
    In addition, redirect_URI is open and can be modified. So any malicious user can change part of the unregistered URL, including query parameters to redirect. State is opaque and the app should validate when it gets back from the authorization server (e.g. encrypted, signed, etc.) – Omer Iqbal Nov 30 '17 at 18:39
  • there's the answer to me: "State ... should be encrypted or signed". If that happens, then yes, it can't be monkeyed with. @OmerIqbal – spottedmahn Nov 30 '17 at 19:24
  • Hi @Parakh - I understand it happens after. My point is a malicious user can modify the state parameter before it reaches B2C just like they can modify the `redirect_URI`. – spottedmahn Nov 30 '17 at 19:28
  • 2
    I've updated my [Why is Redirect URL Fully Qualified in Azure AD B2C?](https://stackoverflow.com/questions/47520604/why-is-redirect-url-fully-qualified-in-azure-ad-b2c#answer-47527533) answer with the important note to protect the "state" parameter. – Chris Padgett Nov 30 '17 at 20:50
  • 1
    @spottedmahn: State is also supposed to be used for CSRF protection and protections for it are specified in the OAuth2 RFC: https://tools.ietf.org/html/rfc6749#section-10.12. Also section 10.14: "The authorization server and client MUST sanitize (and validate when possible) any value received -- in particular, the value of the "state" and "redirect_uri" parameters." – Omer Iqbal Dec 01 '17 at 06:21
0

The State parameter is opaque and the app should validate when it gets back from the authorization server (e.g. encrypted, signed, etc.).

from Omer Iqbal's comment

spottedmahn
  • 14,823
  • 13
  • 108
  • 178