0

I'm trying to understand why the "state" value is recommended in OAuth2 flows.

Imagine a Google OAuth2 flow:

  • Backend returns the authorize url with the desired scopes
  • Frontend redirects the User to the returned url
  • User authorizes the App and is redirected back to the callback_url
  • Frontend at callback_url sends the authorization_code to the Backend
  • Backend exchanges the authorization_code for an access_token

Let's say, in the first step, instead of the Backend, an attacker tricked a User into using their version of "authorize" url. (with modified scopes and properties)

The user will, again, get redirected to a trusted callback_url and the attacker has no way of obtaining the access_token.

Seems like as long as the callback_url is safe AND the Backend does not leak the client_secret, the attacker has no way to hijack the access_token.

So the "state" does not really have any benefits in this scenario.

However, I can imagine in some OAuth2 flows, the attacker can modify the authorize url (to change the "scopes" of the authorize url for example) and using a "state" can detect these flows and prevent an access_token being issued. which can be life-saving.

Is my understanding of this situation correct or are there cases where the state is necessary?

typicallearner
  • 238
  • 1
  • 13
  • Does this answer your question? [What is the purpose of the 'state' parameter in OAuth authorization request](https://stackoverflow.com/questions/26132066/what-is-the-purpose-of-the-state-parameter-in-oauth-authorization-request) – jonrsharpe Apr 09 '23 at 11:00
  • @jonrsharpe thank you for the link, unfortunately I still don't understand how the attacker obtains a user's access_token, I can't come up even with one scenario that the redirect_url does not prevent it. – typicallearner Apr 09 '23 at 11:17
  • @GaryArcher After a user clicks on a malicious link, the user is redirected to the OAuth2 provider (Google for example) to authorize the request and grant access to the account, the user is then redirected to a trusted redirect_url with the authorization_code appended usually in the query parameter, it's true that the attacker initiated the oauth2 flow, but the attacker won't be able to get anything back because the user is redirected to a trusted url, which is out of the attacker's control. Unfortuantely, this concept just doesn't click for me. – typicallearner Apr 09 '23 at 13:02
  • The threat is more along the lines of inserting a valid but different authorization code, eg with my user ID, into the OAuth response returned to your browser. In some types of app this might result after login in your being saved against my user, or similar adverse effects. – Gary Archer Apr 09 '23 at 14:30

0 Answers0