Storing oAuth state token in Flask session

前端 未结 1 1131
醉话见心
醉话见心 2021-01-05 13:28

A couple of tutorials on oAuth use the Flask session to store state parameters and access tokens in the flask session. (Brendan McCollam\'s very useful presentation from Py

相关标签:
1条回答
  • 2021-01-05 14:01

    I think some tutorials over-simplify in order to show simpler code. A good rule of thumb is to use session cookies only for information that MUST be known by your application and your user's browser, and is not private. That normally translates into a Session ID and possibly other non sensitive information such as a language selection.

    Applying that rule of thumb, I'd suggest the next to each of the tokens:

    1. Authorization Token: this data is by definition known to both the user and the application, so it shouldn't be a security concern to expose it in the cookie. However, there really is no need to keep this token once you're given an access code, so I advice against keeping it locally or in your cookies.

    2. Access Code: this data must be considered secret, and must only be known by your application and the provider. There is no reason to make it know to any other parties, including the user, therefore it should NOT be included in cookies. If you need to store it, keep it locally in your servers (perhaps in your database, referencing your users session ID).

    3. CSRF State Token: this data is ideally included as a hidden form field and validated against a server side variable, so cookies seem like an unnecessary complication. But I wouldn't be concerned about this data being in a cookie, since it's part of the response anyways.

    Keep in mind there are extensions such as flask-sessions, with which practically the same code uses server side variables instead of cookie variables.

    0 讨论(0)
提交回复
热议问题