1

I wish to correlate all the calls throughout Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents (OnRedirectToIdentityProvider, OnAuthorizationCodeReceived etc).

I wish to set the 'state' parameter in OnRedirectToIdentityProvider as a GUID to later corralate the calls in logs, for example

 OnRedirectToIdentityProvider = async context =>
 {
    var myGuid = Guid.NewGuid().ToString();
    context.ProtocolMessage.State = myGuid;
    _log.LogInformation("OnRedirectToIdentityProvider: {0}", myGuid);

  ...
 },
 OnAuthorizationCodeReceived = async context =>
 {
     _log.LogInformation("OnAuthorizationCodeReceived: {0}", context.ProtocolMessage.State);

  ...
 },
...

In the docs it is said that identityserver will echo back the state value on the token response. http://docs.identityserver.io/en/latest/endpoints/authorize.html

I also read that client is responsible for the validation of this property.

The question is:

  • I couldn't find any specific resource about when I want to use 'state' property, whether the validation is handled automatically by the middleware or should I handle the validation myself in a callback function?

  • Is there any security risks I should consider when using GUID in a 'state' parameter?

  • Pros/cons I should consider?

Regards, A

ecif
  • 311
  • 2
  • 12
  • That's handled by middleware , state is unique and non-guessable ,GUID is ok for state parameter . – Nan Yu May 31 '19 at 09:24
  • Thanks, found from the source code the Options.StateDataFormat.Unprotect() method. After debugging and using this method, I can see that setting the ProtocolMessage.State value actually changes only AuthenticationProperties.Items["OpenIdConnect.Userstate"] value. All the other properties stay intact. – ecif May 31 '19 at 12:53

1 Answers1

1

This is a valid approach to use GUID as ProtocolMessage.State property value.

After setting ProtocolMessage.State in OnRedirectToIdentityProvider event

context.ProtocolMessage.State = myGuid;

Found out from source code that data is being deserialized with StateDataFormat.Unprotect() method. I used this to debug

context.Options.StateDataFormat.Unprotect("CfDJ8...yr7Rpx3DyQMwPw")

'state' value in query is actually a serialized AuthenticationProperties class.

The AuthenticationProperties class is generated by the middleware and ProtocolMessage.State value is actually stored as AuthenticationProperties.Items["OpenIdConnect.Userstate"] in the response. As mentioned in the comment, middleware handles the validation of state.

ecif
  • 311
  • 2
  • 12