Hello there!

Need Help? We are right here!

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Your Contact E-mail

What are you looking for

How can we help you?

Enforce State Parameter

This feature ensures that the state parameter is always included in OAuth or OpenID requests made by the client.Enforcing the state parameter enhances security and helps prevent unauthorized or forged authentication requests.

What is the state parameter?

In OAuth and OpenID protocol, the state parameter is a value sent by the client during the authorization request. It helps the client maintain or restore the previous state of the application after the user completes authentication.
This parameter is particularly useful for stateful applications which save information from one session to reuse it in another.

Why is the state parameter Important?

While the state parameter can help restore the application’s previous state, its primary purpose is to protect against Cross-Site Request Forgery (CSRF) attacks.

CSRF Attacks

A CSRF attack tricks a web application into performing unauthorized actions on behalf of a logged-in user.These attacks are especially dangerous for JavaScript-based or browser applications.

The state parameter helps prevent CSRF attacks by including a unique, unpredictable value with each authorization request.

The client generates this value for every request.
The authorization server returns the same value in its response.
The client verifies the returned state to ensure the response is legitimate and untampered with.

This process ensures that only valid requests initiated by the client are accepted.

Custom Redirection

In stateless applications, the state parameter can store a redirect URL instead of session data. After a successful login, this URL tells the application where to redirect the user.

This is particularly useful for Single Sign-On (SSO) scenarios, for example, redirecting the user back to the exact page where they clicked the Login button.

Plugin Configuration

To enable State Parameter Enforcement:

Navigate to the Configurations tab.
Under the State Parameter section, locate the Enforce State Parameter toggle.
Turn the toggle ON. Once enabled, the OAuth Server will require the client to include a valid state parameter in each request.

If the client fails to provide the state parameter, the server returns the following error:
ERROR:

    {
        "error":"invalid_state",
        "error_description":"The state parameter supplied is invalid or empty"
    }

What is the state parameter?
Why is the state parameter Important?
- CSRF Attacks
- Custom Redirection
Plugin Configuration