Support "state" parameter in OAuth
8c3ef4b73c66
Actions

Authored by epriestley <git@epriestley.com> on Jun 16 2013, 19:18.

Description

Support "state" parameter in OAuth

Summary:
Ref T1445. Ref T1536. Although we have separate CSRF protection and have never been vulnerable to OAuth hijacking, properly implementing the "state" parameter provides a little more certainty.

Before OAuth, we set a random value on the client, and pass its hash as the "state" parameter. Upon return, validate that (a) the user has a nonempty "phcid" cookie and (b) the OAuth endpoint passed back the correct state (the hash of that cookie).

Test Plan: Logged in with all OAuth providers, which all apparently support state.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, arice

Maniphest Tasks: T1445, T1536

Differential Revision: https://secure.phabricator.com/D6179

Details

Committed

epriestley <git@epriestley.com>

Jun 16 2013, 19:18

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPHfdbd3776255f: Replace old login validation controller with new one

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH8c3ef4b73c66: Support "state" parameter in OAuth (authored by epriestley <git@epriestley.com>).Jun 16 2013, 19:18

Changes (4)

				Path
	M			src/aphront/AphrontRequest.php
	M			src/applications/auth/controller/PhabricatorAuthController.php
	M			src/applications/auth/controller/PhabricatorAuthStartController.php
	M			src/applications/auth/provider/PhabricatorAuthProviderOAuth.php