How can I validate the state param?

arbnorlumezi · May 12, 2025, 4:52pm

From my application I am able to add a url in state param as so:

While using: GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API

https://companyname.okta.com/oauth2/default/v1/authorize?

client_id=123123123&response_type=code&scope=openid&redirect_u

ri=https%3A%2F%board.companyname.com%2Fauthorization-code

%2Fcallback&state=https://www.facebook.com/

With the above example after successful login I am redirected to Facebook.com

The lack of URL validation here introduces an arbitrary redirect vulnerability that can be abused for phishing attempts or as part of a complex attack chain.

How can I validate the state param to make sure this does not happen?

I tried a few ways following the documentation but nothing works so far.

ram.gandhi · May 12, 2025, 5:01pm

I answered something similar a while back. Let me know if this answers your question

arbnorlumezi · May 13, 2025, 9:34am

Not really my case.
I have already defined a redirectUri, instead if being directed there I’m being directed to the potential attackers url.

ram.gandhi · May 13, 2025, 1:13pm

But ideally you might have to generate an opaque value and pair it with the destination url in a local store. Then send this opaque value as state and use it in callback url code to redirect user to destination URL

I will provide detailed steps with an example.

You create a unique opaque value such as a uuid - 7e981003-1ddb-4732-a9cf-c97087c79fb5
Store it in client storage such as localstorage/sessionstorage along with your destination url - {“7e981003-1ddb-4732-a9cf-c97087c79fb5”: “https://www.facebook.com/”}
Make authorize with this id as state - https://companyname.okta.com/oauth2/default/v1/authorize?client_id=123123123&response_type=code&scope=openid&redirect_uri=https%3A%2F%board.companyname.com%2Fauthorization-code%2Fcallback&state=7e981003-1ddb-4732-a9cf-c97087c79fb5
During callback use this value to lookup destination url from your client storage and redirect

By using this method, your destination URL will be something from your client storage. If someone tampers with the state, you will not find a match and can respond with an error and/or retry authorize again.

system · May 14, 2025, 1:13pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
How to use the state parameter in passport-okta-oauth? OAuth/OIDC	4	5849	February 8, 2024
Dynamic redirect in the authorization callback in node express? Questions	3	3016	June 22, 2022
Okta Custom Callback Route - Configuring State Param API api , python	1	3591	February 12, 2024
Description: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings Questions	2	7476	July 26, 2021
Should I generate STATE from my front end (REACT) when authorizing or? OAuth/OIDC reactjs	2	231	July 2, 2024

How can I validate the state param?

Related topics