Spring Social
  1. Spring Social
  2. SOCIAL-299

Support CSRF protection in connection/sign-in flows

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.M3
    • Component/s: None
    • Labels:
      None

      Description

      Some providers (Facebook, specifically) suggest passing some form of state as a parameter in the authorization URL and compare that with the state returned on the redirect to avoid CSRF vulnerabilities. The connection and sign-in flows should support this, either directly or indirectly.

      Although this issue speaks directly to Facebook's state parameter, it is possible that other providers may offer a similar mechanism and any work done will likely be in the Spring Social Core code. Therefore this issue is opened in the context of Spring Social Core (and not Spring Social Facebook).

      Care should be taken to not break connection flows for providers that do not support CSRF protection this way. In other words, it will not be possible to simply send some state and then compare it after the redirect, because not all providers will send that state back--The comparison will fail and thus the otherwise correct flow will fail.

        Activity

        Hide
        Craig Walls added a comment -

        This is in the latest snapshot build (Spring Social 1.1.0.BUILD-SNAPSHOT). In addition there were some changes to support it in Spring Social Facebook (1.1.0.BUILD-SNAPSHOT) and Spring Social LinkedIn (1.0.0.BUILD-SNAPSHOT).

        Please try it and let me know if there are any issues.

        Show
        Craig Walls added a comment - This is in the latest snapshot build (Spring Social 1.1.0.BUILD-SNAPSHOT). In addition there were some changes to support it in Spring Social Facebook (1.1.0.BUILD-SNAPSHOT) and Spring Social LinkedIn (1.0.0.BUILD-SNAPSHOT). Please try it and let me know if there are any issues.

          People

          • Assignee:
            Craig Walls
            Reporter:
            Craig Walls
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: