What is App State and Why?

In OIDC you create and send a value for App State.
I can set this value to 1 and it still works.
I can use the exact same value for every single request and it still works.
What is App State?
Should it be unique for request and what happens if it is not unique?

The state parameter is required to be included to all requests to the /authorize endpoint to prevent CSRF, as noted in our documentation here. Here’s the explanation from the OpenID spec:

Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.

As well as the entry about this in the RFC for the OAuth spec:

The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent’s authenticated state (e.g., a hash of the session cookie used to authenticate the user-agent). The client SHOULD utilize the “state” request parameter to deliver this value to the authorization server when making an authorization request.

Once authorization has been obtained from the end-user, the authorization server redirects the end-user’s user-agent back to the client with the required binding value contained in the “state” parameter. The binding value enables the client to verify the validity of the request by matching the binding value to the user-agent’s authenticated state. The binding value used for CSRF protection MUST contain a non-guessable value (as described in Section 10.10), and the user-agent’s authenticated state (e.g., session cookie, HTML5 local storage) MUST be kept in a location accessible only to the client and the user-agent (i.e., protected by same-origin policy)…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.