Understanding request parameter 'state'

[shnplr]

Hi,

I notice this library adds 'state' request parameter to /oauth2/authorize request but I don't understand how exactly this prevents csrf. How does it work with state token is generated on the client?

Cheers, Paul

[yuntuowang]

Hi @shnplr, Please refer to this issue. https://github.com/aws/amazon-cognito-auth-js/issues/43

About how 'state' preventing csrf, you can see here: https://tools.ietf.org/html/draft-ietf-oauth-v2-30#section-10.12

Actually we will release a change about supporting developer set state parameter soon!

When hitting the login or authorize endpoint just include as a query parameter "STATE". Post authentication this value is returned to the redirect_uri(this value can be dynamic). So the state value is carried from unauthenticated to authenticated. This is a pretty common use case.

[shnplr]

Hi, Thanks for your reply.

I can see the 'state' is added to the URL in CognitoAuth.getFQDNSignIn(). After redirect how do I know the value matches the value sent in the original request? The function cacheTokensScopes() comment says: "This is used to save the session tokens, scope and state to local storage" - but I don't see where it saves 'state' into local storage so it can be checked later.

I look forward to reading about the change for supporting developer set state parameter. A separate section on the main page about security implementation with this library would be nice!

[yuntuowang]

Hi @shnplr, when we release the change about supporting developer set state parameter, after signed in successfully, the sign-in redirect URL will contain the state parameter. There you can see the value matches the value you set before.

The function cacheTokensScopes() comment has a typo there, it is only used to save the session tokens and scopes to local storage. I will correct this in next commit!

Sure, we will add a separate section about security implementation if necessary. I will discuss this with my teammate too. Thanks!

[yuntuowang]

Hi @shnplr, we have released supporting developer set state parameter! Please check the version v1.1.2.

[blepoutr]

Hello

Can you confirm how can the state be used to prevent CSRF ? ( when using Token mode) For me, since the state is not stored in the local storage as Id token etc, we can not be sure that the we will always have a value (in the Success callback) to compare with. Any advice would be very appreciate it. Thx

[yuntuowang]

Hi @blepoutr, you will always get state value in the Success callback if you have set the state parameter. The SDK will pass state value to the callback url.

[blepoutr]

Hello

Thx for your answer.

Actually, the state is empty when I am already authenticated with a valid Idtoken etc ... Indeed, in this case the Session is created from the cache and I don't have any State in the signInUserSession. I guess that this is due to this.signInUserSession = this.getCachedSession();

So it seems to me that either the State should be stored in cached session, either the state should be defaulted in CognitoAuthSession with CognitoAuth.state.

What do yo think ?

Thx

[yuntuowang]

Hi @blepoutr, exactly, currently our cachedSession doesn't contain the state parameter. So in your case, you cannot get state. What you mentioned is a good point. We need to discuss more to see if we want to store it in cached session. Thanks!