[GH-ISSUE #182] State not being checked after response #111

New issue

Closed

opened 2026-03-03 16:45:46 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 16:45:46 +03:00

Owner

Copy link

Originally created by @mats-claassen on GitHub (Feb 11, 2016).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/182

I am trying to connect to Linkedin. After requesting authorization they return a code and a state. The code is used to get the access token but it is not being checked (or at least I did not find it) if the state matches the one send in the first request.

Originally created by @mats-claassen on GitHub (Feb 11, 2016). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/182 I am trying to connect to Linkedin. After requesting authorization they return a `code` and a `state`. The `code` is used to get the access token but it is not being checked (or at least I did not find it) if the `state` matches the one send in the first request.

kerem closed this issue 2026-03-03 16:45:46 +03:00

kerem commented 2026-03-03 16:45:47 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Feb 21, 2016):

I think you are right (and must be check to prevent CSRF)
http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-10.12

<!-- gh-comment-id:186895157 --> @phimage commented on GitHub (Feb 21, 2016): I think you are right (and must be check to prevent CSRF) http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-10.12

kerem commented 2026-03-03 16:45:47 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Feb 21, 2016):

added a check about state value when receiving a code
don't know if all case is supported : i read some info here http://spring.io/blog/2011/11/30/cross-site-request-forgery-and-oauth2

add a var allowMissingStateCheck to remove this check in case of some problem in provider oauth protocol

<!-- gh-comment-id:186908413 --> @phimage commented on GitHub (Feb 21, 2016): added a check about state value when receiving a `code` don't know if all case is supported : i read some info here http://spring.io/blog/2011/11/30/cross-site-request-forgery-and-oauth2 add a var `allowMissingStateCheck` to remove this check in case of some problem in provider oauth protocol

kerem referenced this issue 2026-03-03 16:49:14 +03:00

[PR #111] [MERGED] FIX #110 merge query and fragment parameters instead of choosing one #519

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

ci/action/danger

ci/action/release-drafter

pkce

ci/action/tvos

ci/travis

2.1.0

2.0.0

fix/fitbiterror

swift3

digu-demo

swift3.0objc

swift2.2

swift2.3

swift2.0

2.2.0

2.1.2

2.1.1

2.1.0

2.0.1

2.0.0

1.4.1

1.4.0

1.3.0

1.2.2

1.2.1

1.2.0

1.1.2

1.1.1

1.1.0

1.0.0

0.6.0

0.5.2

v0.5.2

0.5.1

0.5.0

0.4.8

0.4.6

v0.4.6

0.4.5

v0.4.5

0.4.4

v0.4.4

0.4.3

0.4.2

0.4.1

v0.4.1

0.4.0

v0.4.0

Swift1.x

0.3.7

v0.3.7

0.3.6

v0.3.6

0.3.5

v0.3.5

0.3.4

v0.3.4

0.3.3

v0.3.3

v0.3.2

0.3.2

0.3.1

v0.3.1

0.3.0

v0.3.0

0.2.1

0.2.0

v0.2.0

0.1.9

0.1.8

0.1.7

v0.1.7

v0.1.6

Labels

Clear labels   

bug

  

cocoapod

  

duplicate

  

enhancement

  

feature-request

  

help wanted

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

cocoapod

duplicate

enhancement

feature-request

help wanted

help wanted

invalid

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/OAuthSwift#111

No description provided.