oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jasha Joachimsthal <ja...@apache.org>
Subject Re: Verifying the authorization server
Date Thu, 22 Jan 2015 17:34:56 GMT
That's what the state parameter is for. You generate this value and
keep it in a session. When the user returns to the redirectUri, the
OAuth provider must have returned the state parameter's value. Compare
this with the value in the session. If they don't match, your code
should not continue with the authorization.

See also [1]



[1] http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html

On 22 January 2015 at 17:13, Tiburtius, Ashwanth [IWD]
<Ashwanth.Tiburtius@iwd.iowa.gov> wrote:
> Hi,
> I am using Apache Oltu in our project to authenticate Google, Yahoo and
> Microsoft users. I have a fundamental question – when a user has
> authenticated themselves and the authorization server redirects them back to
> the application using the redirect uri along with a code, from a security
> perspective, how can we verify that the code came from the respective
> service - for e.g: Google? Does the authorization server send back
> certificate or signatures that can be used to verify itself? If so, does
> Oltu take care of this or is it upto the application to do the verification?
> Can you provide any help as to how the application should verify the server
> in case Oltu doesn’t do it currently?
> Just fyi, in our application, we are only concerned about a successful
> authentication which is the first step in OAuth process. We do not access
> any information about the user, so we are not getting into the next steps to
> get access token etc. at this point. I am not sure if that is an issue.
> I would really appreciate your comments/replies. Thank you for your time.
> Thanks,
> Jude.
> Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA  50319
> (515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov

View raw message