Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
428 views
in Technique[技术] by (71.8m points)

javascript - OAuth2重定向URL应该是前端还是后端?(Should the OAuth2 Redirect URL be to the frontend or backend?)

I'm setting up OAuth2 in my app using the Authorization Grant flow.

(我正在使用“授权授予”流程在我的应用中设置OAuth2。)

I am also using create-react-app, such that I'm developing on localhost:3000 , which proxies to my app server backend on localhost:8080 .

(我也在使用create-react-app,这样我就在localhost:3000上进行开发,它代理了我在localhost:8080上的应用程序服务器后端。)

Everything mostly works, except for the fact that I cannot get the CSRF token working.

(除了我无法使CSRF令牌正常工作之外,其他所有东西都可以正常工作。)

I realized it was because I was having the OAuth2 Redirect URL set to the backend, and as a result it was not sending the private encrypted csrf_state cookie along, because the request was originating from google instead of my app.

(我意识到这是因为我将OAuth2重定向URL设置为后端,因此它没有发送私有加密的csrf_state cookie,因为该请求源自Google而不是我的应用。)

I don't think this will be a problem in production, because there won't be a proxy server.

(我认为这不会在生产中出现问题,因为不会有代理服务器。)

Instead, both the backend and frontend will be served from the same mydomain.com

(相反,后端和前端都将从同一个mydomain.com)

So, should I just not have this work in development?

(那么,我是否应该不从事这项工作呢?)

Or should I have the OAuth2 redirect URL set to my frontend ( localhost:3000 ), which then automatically redirects to the backend ( localhost:8080 ), such that it can send the private encrypted CSRF token along?

(还是我应该将OAuth2重定向URL设置为我的前端( localhost:3000 ),然后自动将其重定向到后端( localhost:8080 ),以便它可以一起发送私有的加密CSRF令牌?)

Or is there a way to have the cookie originate from google, without having the multiple redirects?

(还是有一种方法可以让Cookie源自Google,而无需进行多次重定向?)

Or should I just not bother with CSRF, since SameSite has such large support amongst browsers now?

(还是因为SameSite现在在浏览器中有如此大的支持,我是否应该SameSite会CSRF?)

  ask by John Smith translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The OAuth2.0 Authorization Code grant includes CSRF protection using the state parameter.

(OAuth2.0授权码授予包括使用state参数的CSRF保护。)

Use this instead of relying on cookies.

(使用它代替依赖cookie。)

state

(州)

RECOMMENDED.

(推荐的。)

An opaque value used by the client to maintain state between the request and callback.

(客户端用来维持请求和回调之间状态的不透明值。)

The authorization server includes this value when redirecting the user-agent back to the client.

(当将用户代理重定向回客户端时,授权服务器将包含此值。)

The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.

(如第10.12节所述,参数应用于防止跨站点请求伪造。)

Source: https://tools.ietf.org/html/rfc6749#section-4.1

(资料来源: https : //tools.ietf.org/html/rfc6749#section-4.1)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...