Reputation: 15981
Using State Parameter in Azure AD B2C Susceptible to Open Redirect Vulnerability?
If I use the State parameter to control the RedirectURI as described here: "Why is Redirect URL Fully Qualified in Azure AD B2C?", wouldn't I be susceptible to Open Redirect Vulnerabilities?
Haven't I just moved the problem from the RedirectURI to the State parameter?
Upvotes: 2
Views: 2421
Answers (2)
Reputation: 15981
The
Stateparameter is opaque and the app should validate when it gets back from the authorization server (e.g. encrypted, signed, etc.).
from Omer Iqbal's comment
Upvotes: 0
Reputation: 1232
State parameter can be used to control redirection AFTER the app is launched again. The token will only go one place (as specified by the redirect URL). After that, the app is securely in control of the token, and can look at the state parameter to determine whether the user/token should be going to a different place. This is useful in various scenarios, like in the case where you are creating a news based app, and you need to know which article they attempted to sign in from. They will then be redirected back to that same article so that they can continue reading.
Upvotes: 1
Related Questions
- Azure AD B2C ASP.NET redirect loop
- Azure AD B2C: The redirect URI in the request, does not match the ones authorized for the OAuth client
- B2C redirect after SSO login AADSTS50196
- Azure B2C Redirect after Login/Signup - Blazor
- Microsoft Azure Directory oAuth redirect_uri not accepting state query parameter
- Workaround for Azure AD B2C redirect limits
- Azure Ad B2C: How to use use msal-angular to pass parameter which still available in redirect url
- Azure AD B2C vulnerable to Open Redirect?
- Azure B2C accepting different domains in Redirect URIs: Bug or Feature
- Why is Redirect URL Fully Qualified in Azure AD B2C?