From 42fa16ef1fd58ded23ec53951f3d7b817e84bd08 Mon Sep 17 00:00:00 2001 From: konarfil Date: Mon, 25 Sep 2023 09:27:34 +0200 Subject: [PATCH] Code flow 2 cleanup --- src/flow/code-1.html | 7 ++----- src/flow/code-2.html | 32 +++++++++++++++++--------------- src/flow/code-3.html | 2 +- 3 files changed, 20 insertions(+), 21 deletions(-) diff --git a/src/flow/code-1.html b/src/flow/code-1.html index bc5b1bf..270c320 100644 --- a/src/flow/code-1.html +++ b/src/flow/code-1.html @@ -1,6 +1,5 @@ - @@ -16,13 +15,12 @@ -
-

Authorization Code Flow

+

Authorization Code Flow

1 @@ -36,13 +34,12 @@ 3
-
Build the authorization URL and redirect the user to the authorization server
- After the user is redirected back to the client, verify the state matches + After the user is redirected back to the client, verify that the state matches
Exchange the authorization code for an access token diff --git a/src/flow/code-2.html b/src/flow/code-2.html index 188328b..dad03bf 100644 --- a/src/flow/code-2.html +++ b/src/flow/code-2.html @@ -1,10 +1,9 @@ - - OAuth 2.0 Playground + OAuth 2.0 Playground - Authorization Code Flow (2/3) @@ -16,13 +15,12 @@ -
-

Authorization Code Flow

+

Authorization Code Flow

1 @@ -36,13 +34,12 @@ 3
-
Build the authorization URL and redirect the user to the authorization server
- After the user is redirected back to the client, verify the state matches + After the user is redirected back to the client, verify that the state matches
Exchange the authorization code for an access token @@ -55,29 +52,34 @@
2. Verify the state parameter
-

You have now been redirected back to the application, to the page that was specified in the redirect-url parameter. In the URL you can notice, that there are addtional query parameters:

-
Let's break it down...
+

Let's break it down...

  • state=

    -

    This is the state parameter that was sent in the initial request. It is used to prevent CSRF attacks.

    +

    The state parameter is an opaque value used by the client to maintain state between the request and the callback. + Essentially, it is used to prevent Cross-Site Request Forgery (CSRF) attacks and to ensure the response belongs to the request made by the client. +

  • session_state=

    -

    Session state is a parameter that is used to maintain state between the request and callback. It is used to prevent CSRF attacks.

    +

    The session state parameter is not a core part of the OAuth 2.0 specification, but it is used in OpenID Connect (OIDC) + to represent the state of the end user's session at the Authorization Server. + The client can use this value to help manage user sessions or to detect when the user's session at the Authorization + Server changes (for example, if the user logs out).

  • code=

    -

    This is the authorization code that will be exchanged for an access token.

    +

    The code parameter contains the actual authorization code. This is a temporary code that the client can exchange for an + access token (and optionally, a refresh token) by making a back-channel request to the Authorization Server. + The format and structure of the code is determined by the Authorization Server. It can be just a random string, or a more complex construction. The exact significance of this structure is specific to the Authorization Server implementation and might include different identifiers or information encoded in + the structure.

-

Now we have everything necessary to obtain token for the user. But is the state we have sent equivalent to the one we received back?

- -
- + States are matching
diff --git a/src/flow/code-3.html b/src/flow/code-3.html index 26f9e81..cc27239 100644 --- a/src/flow/code-3.html +++ b/src/flow/code-3.html @@ -42,7 +42,7 @@ Build the authorization URL and redirect the user to the authorization server
- After the user is redirected back to the client, verify the state matches + After the user is redirected back to the client, verify that the state matches
Exchange the authorization code for an access token