AuthCodeURL permits empty state parameter

golang / oauth2

Go OAuth2

https://golang.org/x/oauth2

BSD 3-Clause "New" or "Revised" License

5.39k stars 992 forks source link

AuthCodeURL permits empty state parameter #263

Open zombiezen opened 6 years ago

zombiezen commented 6 years ago

In #33 (and the corresponding bb8496880f7e4671902be4e7251f40d971c5d535), the state parameter is allowed to be empty. However, as noted in RFC 6749 4.1.1, failure to do so can result in an XSRF vulnerability. I think we should consider making an empty state parameter panic.

bradfitz commented 6 years ago

Maybe we start with a log.Printf warning for 6 months or so before we go all the way to a panic?

But people will probably just replace the empty string with the string literal "state", as I've seen enough (and used to do myself, to shut things up). Having good docs & easy ways to do it properly would be helpful.

zombiezen commented 6 years ago

We should provide a good example of 3-legged OAuth. It should likely use something like gorilla/sessions.