google-oauth - 为什么 Web Apps 的 Google OAuth 2.0 文档没有提到 "state"参数？

Question

在 https://developers.google.com/identity/protocols/OAuth2WebServer#handlingresponse 阅读 Google OAuth 文档, 我很惊讶(或者至少很好奇为什么)没有关于 state 的文档。即使在非隐式流程中，防止 CSRF 攻击 ( https://www.rfc-editor.org/rfc/rfc6819#section-4.4.1.8) 似乎也很重要。

我是否遗漏了一些表明 state 参数不是绝对必要的东西？似乎应该在文档中强调这一点，这样人们就不会让他们的应用程序存在 CSRF 漏洞。

Answer 1

它被提及但仅针对 HTTP/Rest 示例。查看选择了 HTTP/Rest 的重定向部分。

Redirecting to Google's OAuth 2.0 server

When your application needs to access a user's data, redirect the user to Google's OAuth 2.0 server.

HTTP/REST

Generate a URL to request access from Google's OAuth 2.0 endpoint at https://accounts.google.com/o/oauth2/v2/auth. This endpoint is accessible over HTTPS; plain HTTP connections are refused.

The set of query string parameters supported by the Google Authorization Server for web server applications are:

... Omitted text ...

state - Any string - Provides any state that might be useful to your application upon receipt of the response. The Google Authorization Server roundtrips this parameter, so your application receives the same value it sent. To mitigate against cross-site request forgery (CSRF), it is strongly recommended to include an anti-forgery token in the state, and confirm it in the response. See OpenID Connect for an example of how to do this.