-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the oauth state parameter mishandled? #1925
Labels
Comments
egurnick
changed the title
Is the ouath state parameter misused?
Is the ouath state parameter mishandled?
Sep 14, 2022
egurnick
changed the title
Is the ouath state parameter mishandled?
Is the oauth state parameter mishandled?
Sep 15, 2022
Thank you for reporting. |
merged will be included on the next release |
Looks good, nice solution, thank you @dpgaspar ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The oauth "state" parameter, used to prevent csrf attacks, is generated in fab like so for each auth request
Flask-AppBuilder/flask_appbuilder/security/views.py
Lines 622 to 626 in e7692d1
Where
config["SECRET_KEY"]
is defined in config.py (and should be set by the developer)Flask-AppBuilder/bin/config.py
Line 5 in 27b15e5
and
request.args
is defined ashttps://github.com/pallets/werkzeug/blob/main/src/werkzeug/sansio/request.py#L170-L185
Thus, the state parameter is essentially a constant and has the same value over multiple auth requests. If config["SECRET_KEY"]` is known, the state parameter is predictable.
The oauth standard states
https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.1
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
All other implementations I have seen use a randomly generated string for each new auth request
Is this correct usage of the state parameter?
The text was updated successfully, but these errors were encountered: