December 19, 2018

OAuth 2.0 Security Considerations / CSRF Protection in Rails

RFC6819: OAuth 2.0 Threat Model and Security Considerations

https://tools.ietf.org/html/rfc6819 (2013)

The RFC gives additional security considerations for OAuth 2.0 specification. It contains “Code Substitution” threat (a.k.a. OAuth Login). In short, we should not use OAuth protocol for authN because OAuth itself does not support audience restrictions on clients. For authentication purpose, we can use dedicated protocols such as OpenID Connect and SAML.

A Deep Dive into CSRF Protection in Rails

https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef (2017)

The article describes how CSRF Protection in Rails works. When a Rails application renders and responses an HTML page, Rails sets a CSRF token into both HTML meta tag and Rails’ session. When the User Agent submitted a form, Rails checks that the received token from request body/header and another token from the session are equivalent. If so, the token is valid.

(c) Hibariya Lerche 2018

Powered by Hugo & Kiss.