0

I am working with the eBay API using OAuth on my current Meteor project app.

There is a section of the app where I can create an eBay account profile, and assign custom values to the account (such as nick-naming it, etc.). This is where I initiate the OAuth sign-in redirect process.

My question is about the 'state' parameter in the token requests. I understand that it is for helping prevent CSRF, but do I HAVE to use it that way? 'state' does seem to be optional after all.

Let's say I wanted to pass another value into the request call such as the string 'eBay Seller', and expect that the same exact string be returned in the response. I want to use that value to help my app determine which account to assign the returned tokens to (based on which account profile initiated the redirect link).

Is 'state' a valid place to pass in a variable that I expect to be returned exactly as sent? I considered using Session variables to handle this scenario, but quickly realized that this would not work, since the OAuth process takes me outside of my project's domain.

Does OAuth support passing variables that are expected to be returned as sent? Is sending my variable as 'state' allowed or even recommended (or absolutely not recommended?) Is there a better way to achieve what I want to do that does not involve updating database values?

Thank you!

Ticdoc
  • 248
  • 3
  • 15

1 Answers1

2

You can send what you want as state. You should try to make sure it's not guessable though, to mitigate against CSRF attacks.

If you want to return useful information like 'ebay seller' then include something for CSRF (e.g. hash of the session key id) and the text 'ebay seller' and delimit them e.g. 

2CF24DBA5FB0A30E26E83B2AC5B9E29E1B161E5C1FA7425E73043362938B9824|ebay seller

Now you have the best of both worlds: useful state info + CSRF protection. Your redirect endpoint logic can check the hash of the session id matches and also confirm the account type from the initial request.

iandayman
  • 4,357
  • 31
  • 38
  • If my application will only be used by a handful of trusted users, do I even need to bother with a session id hash and all that stuff? Literally everything we do here is done in-house all at one location by a bunch of people who already knew each most of our lives. I think that a CSRF attack would be something that we just simply wouldn't have to worry about. It's not like I would write my own code to do malicious things against the company I work for and respect. You said I can send whatever I want as state, which answers the question. But *should* I do it that way? – Ticdoc May 02 '18 at 19:44
  • @Ticdoc - I would say not, simply because you are applying a non-standard meaning to a standard field, which by definition violates the OAuth 2 standard. Therefore your app doesn't follow the OAuth 2 protocol in exactly the way someone familiar with OAuth 2 would expect. Could you not embed the value you want as a query string paramenter in the redirect_uri value instead? – Ed Graham Aug 13 '18 at 21:58
  • 1
    @EdGraham TIL that the redirection-uri should be static: https://stackoverflow.com/a/55577647/4400976. There should be no dynamic part to it as I just learned today. – Kevin Johnson Jul 11 '21 at 22:16