<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>

OAuth 2.0 clients must implement CSRF protection for the redirection URI, which is typically accomplished by including a "state" value that binds the request to

the user's authenticated state. The Go OAuth 2.0 library allows you to specify a "state" value which is then included in the auth code URL. That state is then provided back by the remote authentication server in the redirect callback, from where it must be validated. Failure to do so makes the client susceptible to an CSRF attack.

</p>

</overview>

<recommendation>

<p>

Always include a unique, non-guessable <code>state</code> value (provided to the call to <code>AuthCodeURL</code> function) that is also bound to the user's authenticated state with each authentication request, and then validated in the redirect callback.

</p>

</recommendation>

<example>

<p>

The first example shows you the use of a constant state (bad).

</p>

<sample src="ConstantOauth2StateBad.go" />

<p>

The second example shows a better implementation idea.

</p>

<sample src="ConstantOauth2StateBetter.go" />

</example>

<references>

<li>IETF: <a href="https://tools.ietf.org/html/rfc6749#section-10.12">The OAuth 2.0 Authorization Framework</a></li>

<li>IETF: <a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1">OAuth 2.0 Security Best Current Practice</a></li>

</references>

</qhelp>