This repository houses a set of OAuth integrations for RedwoodJS' dbAuth:
- Integration with 3rd-party identity providers.
Support for the following OAuth-compatible platforms (identity providers) can be found in this repository:
All requests to a 3rd-party identity provider make use of the OAuth-standard state parameter to mitigate CSRF attacks. This value is generated at the start of each OAuth request, and is stored using the browser's SessionStorage interface.
When a user is redirected after authorizing the OAuth request, the returned state-value is checked against the one in storage. If there is a match: the request is allowed and the user is authenticated; if there is not a match: the request is discarded, the user is notified of the possible attack, and the user is not authenticated.
This mitigation takes place entirely on the client. The web-side generates a random value, adds it to the OAuth request, stores the value, and performs response-matching without contacting the API.