Enforce State Parameter

This feature allows you to enforce the state parameter on the client.

What is state parameter?

OAuth and OpenID protocols, both, provide a state parameter that allows you to restore the previous state of your application. The state parameter is particularly useful with client applications that are stateful in nature. Meaning, they save the data from one session in order to use it in the another session.

Why is the state parameter used?

The state parameter, as mentioned earlier can be used to restore the previous state of the application. However, the principal use of the state parameter is to protect against the CSRF attacks.

CSRF Attacks

What are CSRF attacks?
Cross-Site Request forgery or CSRF is a type of a malicious exploit that is used to make a web application perform unauthorized tasks.
These are particulary dangerous with any JavaScript based applications.

The state parameter helps in protecting against these attacks because it can contain a special value which can not be guessed. The client application generates this value for each request it makes. A legitimate server response essentially contains exactly the same value. In this way the client can verify the state parameter as well as restore itself to a necessary state.

Custom Redirection

The state parameter contains the state of an application. In case of a stateless application, the client often encodes a URL in the state parameter. This URL can be used for various reasons. Primarily, it is used to redirect the user after the authorization is successful.

This is particulary helpful in case of Single Sign-on, when the client wants to redirect the user to the page where the user clicked on Login button

Plugin Configuration

  • Navigate to the Configurations tab.
  • Under the State Parameter section, you can find the toggle for this option.
    enforce-state-parameter
  • If the toggle is turned ON, the OAuth Server will enforce the state. Meaning, if the client does not send a state parameter, the server will display an error.
    ERROR:
    {
        "error":"invalid_state",
        "error_description":"The state parameter supplied is invalid or empty"
    }