search

spring-attic / spring-social

Allows you to connect your applications with SaaS providers such as Facebook and Twitter.
http://projects.spring.io/spring-social
Apache License 2.0
619 stars 351 forks source link

SocialAuthenticationFilter filter does not validate state #245

Open dlvenable opened 6 years ago

dlvenable commented 6 years ago

The Spring Social demos indicate that using SocialAuthenticationFilter is the preferred way to integrate with Spring Security. Indeed I find it integrates better with Spring Security than using ProviderSignInController. However, the code in SocialAuthenticationFilter doesn't validate the state parameter from Social providers. Thus using it for sign-in appears to open up a security hole.

I'm using Spring Security 1.1.4 and have been able to perform authentication into a simple system with a state which the server requesting Social sign-in never created.

dlvenable commented 6 years ago

I'd like to follow up on this issue. The OAuth2 spec recommends validating the state parameter.