Library does not track state and is therefor open to CSRF attacks

c0debrain / socialauth

Automatically exported from code.google.com/p/socialauth

0 stars 0 forks source link

Library does not track state and is therefor open to CSRF attacks #344

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

I'm working on an OAuth 2.0 implementation for LinkedIn and am running into 
problems because the LinkedIn API requires the client to send a state. The 
problem is that this library does not support state. Despite state being an 
optional part of OAuth 2.0 it's integral in maintaining the security of the 
application.

Am I missing something or is there really no way to set the state during OAuth 
2 flow?

Original issue reported on code.google.com by loch...@connectionpoint.ca on 28 May 2014 at 5:07

GoogleCodeExporter commented 9 years ago

Which version of SocialAuth you are using. Till socialauth-4.5 there is no 
linkedin provider which support OAuth2. In SocialAuth 4.6 we are going to 
release LinkedInOAuth2Impl provider which supports OAuth2 and key for using the 
same is "linkedin2".

Regards
Tarun

Original comment by tarun.na...@3pillarglobal.com on 5 Jun 2014 at 11:06

GoogleCodeExporter commented 9 years ago

Please open a new issue if you not found this in LinkedInOAuth2Impl provider.

Regards
Tarun

Original comment by tarun.na...@3pillarglobal.com on 20 Jun 2014 at 3:24

Changed state: Done