1

I have some security concerns about the first step of account authentication in my application.

The authentication goes through an OpenID provider. If the response of such provider shows that the user is already registered, I authenticate him, sending an auth token that will be stored in a cookie and send back as a Bearer header. The token is signed using JWT and the session kept in Mongo. If that's the first time he authenticate in, I create the account and do the same process.

It seems insecure to me because I don't use the state parameter of the OpenID since I can't generate something based on an user that maybe doesn't exists yet.

I've seen multiple times that the use of such parameter was strongly recommended, but also answers like this one saying this was useless.

He will also have to authenticate on another Oauth provider after that, but since this operation will be available only with logged users, I can easily generate and send the state parameter to the provider using some sort of encryption with the user id to help me retrieve him, and nobody can trick the session.

I've also see that it's not a good practice to check for the referrer url of the Oauth callback, but it seems quite securing to me, since it deny attacks on the client.

Please note that the application will be using SSL so there will not be concerns about MITM.


I know I can create a local user using the classic email and password association and then authenticate with the two OpenID providers, but I would like to skip such boring process, is that possible, securely?

Preview
  • 111
  • 5
  • [You need `state` in order to prevent the owner of a malicious app from using a token granted to their app to access yours](http://security.stackexchange.com/a/81315/8340). Can't you generate a unique, cryptographically secure token then use this to identify the anonymous user and use this as state? The attacker (owner of the evil app) will not know the value of this token. – SilverlightFox Apr 13 '15 at 09:07
  • What info can I take to identify an anonymous user? The IP can be easily spoofed – Preview Apr 13 '15 at 09:09
  • Generate a cryptographically secure, random string and store it in your database. As a further check, you could store this value in a cookie too. – SilverlightFox Apr 13 '15 at 09:12

0 Answers0