I’m confused on how an attacker would be able to send requests on an authenticated OAuth2 application; how would the attacker even send the request in the first place if they don’t have the access key?
In: Technology
The state parameter can contain anything. It’s an opaque blob that can hold any data and mean anything based on what the client and server decide on.
But it’s meant to be used to prevent CSRF, or cross-site request forgery.
The long and short of it is without CSRF protection, a malicious website could abuse a user’s *ambient authority* in a browser and get the browser to send an OAuth request to the resource server under the authority of the currently authenticated user session.
OAUTH works with a Security Token Service.
A real world example is a large company with multiple offices. The security team gives an employee an ID that has a magic signature that can’t be faked.
The employee can then go to any office in the company, show the ID, and the security guard can verify that the ID hasn’t been tampered with because of the signature.
Because the Security guard at the location can verify the signature from the central security department, the local guard can just let the employee by without checking with central security.
If someone could fake the magic signature, then they would get past the local security guard.
For OAUTH, the signature is a cryptographic hash signature of the rest of the token. The hash would change if the token was modified by someone that doesn’t have the certificate the Security Token Service used to sign the certificate.
By using a hash such as ES-256 which doesn’t have a collision vulnerability (yet) the only way to fake the signature is to steal the signing certificate.
The State is used in the OAUTH flow which is far beyond an ELI5 post but doesn’t have anything to do with the token creation or verification.
Latest Answers