问题
If I use the State parameter to control the RedirectURI as described here: "Why is Redirect URL Fully Qualified in Azure AD B2C?", wouldn't I be susceptible to Open Redirect Vulnerabilities?
Haven't I just moved the problem from the RedirectURI to the State parameter?
回答1:
State parameter can be used to control redirection AFTER the app is launched again. The token will only go one place (as specified by the redirect URL). After that, the app is securely in control of the token, and can look at the state parameter to determine whether the user/token should be going to a different place. This is useful in various scenarios, like in the case where you are creating a news based app, and you need to know which article they attempted to sign in from. They will then be redirected back to that same article so that they can continue reading.
回答2:
The
Stateparameter is opaque and the app should validate when it gets back from the authorization server (e.g. encrypted, signed, etc.).
from Omer Iqbal's comment
来源:https://stackoverflow.com/questions/47577252/using-state-parameter-in-azure-ad-b2c-susceptible-to-open-redirect-vulnerability