delegate.verifyCsrfState();
}
+ @Override
+ public void verifyCsrfState(String parameterName) {
+ delegate.verifyCsrfState(parameterName);
+ }
+
@Override
public void redirectToRequestedPage() {
delegate.redirectToRequestedPage();
csrfVerifier.verifyState(request, response, identityProvider);
}
+ @Override
+ public void verifyCsrfState(String parameterName) {
+ csrfVerifier.verifyState(request, response, identityProvider, parameterName);
+ }
+
@Override
public void redirectToRequestedPage() {
try {
public class OAuthCsrfVerifier {
private static final String CSRF_STATE_COOKIE = "OAUTHSTATE";
+ private static final String DEFAULT_STATE_PARAMETER_NAME = "state";
public String generateState(HttpServletRequest request, HttpServletResponse response) {
// Create a state token to prevent request forgery.
}
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider) {
+ verifyState(request, response, provider, DEFAULT_STATE_PARAMETER_NAME);
+ }
+
+ public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider, String parameterName) {
Cookie cookie = findCookie(CSRF_STATE_COOKIE, request)
.orElseThrow(AuthenticationException.newBuilder()
.setSource(Source.oauth2(provider))
// remove cookie
response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build());
- String stateInRequest = request.getParameter("state");
+ String stateInRequest = request.getParameter(parameterName);
if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) {
throw AuthenticationException.newBuilder()
.setSource(Source.oauth2(provider))
@Test
public void verify_state() {
+ String state = "state";
+ when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", sha256Hex(state))});
+ when(request.getParameter("aStateParameter")).thenReturn(state);
+
+ underTest.verifyState(request, response, identityProvider, "aStateParameter");
+
+ verify(response).addCookie(cookieArgumentCaptor.capture());
+ Cookie updatedCookie = cookieArgumentCaptor.getValue();
+ assertThat(updatedCookie.getName()).isEqualTo("OAUTHSTATE");
+ assertThat(updatedCookie.getValue()).isNull();
+ assertThat(updatedCookie.getPath()).isEqualTo("/");
+ assertThat(updatedCookie.getMaxAge()).isEqualTo(0);
+ }
+
+ @Test
+ public void verify_state_using_default_state_parameter() {
String state = "state";
when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("OAUTHSTATE", sha256Hex(state))});
when(request.getParameter("state")).thenReturn(state);
/**
* Check that the state is valid.
+ * The state will be read from the 'state' parameter of the HTTP request
+ *
* It should only be called If {@link InitContext#generateCsrfState()} was used in the init
*/
void verifyCsrfState();
+ /**
+ * Check that the state is valid
+ * The state will be read from the given parameter name of the HTTP request
+ *
+ * It should only be called If {@link InitContext#generateCsrfState()} was used in the init
+ */
+ void verifyCsrfState(String parameterName);
+
/**
* Redirect the request to the requested page.
* Must be called at the end of {@link OAuth2IdentityProvider#callback(CallbackContext)}