Skip to content

An example repository which provides OAuth integration to RedwoodJS' dbAuth.

License

Notifications You must be signed in to change notification settings

realStandal/redwoodjs-dbauth-oauth

Repository files navigation

RedwoodJS: OAuth integration with dbAuth

This repository houses a set of OAuth integrations for RedwoodJS' dbAuth:

3rd-Party Identity Provider Integration

Support for the following OAuth-compatible platforms (identity providers) can be found in this repository:

CSRF Prevention

All requests to a 3rd-party identity provider make use of the OAuth-standard state parameter to mitigate CSRF attacks. This value is generated at the start of each OAuth request, and is stored using the browser's SessionStorage interface.

When a user is redirected after authorizing the OAuth request, the returned state-value is checked against the one in storage. If there is a match: the request is allowed and the user is authenticated; if there is not a match: the request is discarded, the user is notified of the possible attack, and the user is not authenticated.

This mitigation takes place entirely on the client. The web-side generates a random value, adds it to the OAuth request, stores the value, and performs response-matching without contacting the API.