Uploaded image for project: 'Spring Social'
  1. Spring Social
  2. SOCIAL-299

Support CSRF protection in connection/sign-in flows

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.M3, 1.1.0.RELEASE
    • Component/s: None
    • Labels:
      None

      Description

      Some providers (Facebook, specifically) suggest passing some form of state as a parameter in the authorization URL and compare that with the state returned on the redirect to avoid CSRF vulnerabilities. The connection and sign-in flows should support this, either directly or indirectly.

      Although this issue speaks directly to Facebook's state parameter, it is possible that other providers may offer a similar mechanism and any work done will likely be in the Spring Social Core code. Therefore this issue is opened in the context of Spring Social Core (and not Spring Social Facebook).

      Care should be taken to not break connection flows for providers that do not support CSRF protection this way. In other words, it will not be possible to simply send some state and then compare it after the redirect, because not all providers will send that state back--The comparison will fail and thus the otherwise correct flow will fail.

        Attachments

          Activity

            People

            • Assignee:
              habuma Craig Walls
              Reporter:
              habuma Craig Walls
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: