Expand description
OAuth state parameter signing and verification OAuth state parameter signing and verification
Provides HMAC-SHA256 signing for OAuth state parameters to prevent CSRF attacks by ensuring the state parameter cannot be tampered with during the OAuth flow.
§Security
The state parameter is signed with HMAC-SHA256 to prevent attackers from:
- Modifying the return_url to redirect users to malicious sites
- Tampering with the PKCE verifier
- Forging nonce values
§Format
Signed state: base64url(state_json).base64url(hmac_signature)
§Example
use micromegas_auth::oauth_state::{OAuthState, sign_state, verify_state};
let state = OAuthState {
nonce: "random-nonce".to_string(),
return_url: "/dashboard".to_string(),
pkce_verifier: "pkce-verifier".to_string(),
};
let secret = b"your-32-byte-secret-key-here!!!";
let signed = sign_state(&state, secret).expect("signing failed");
let verified = verify_state(&signed, secret).expect("verification failed");
assert_eq!(verified.return_url, "/dashboard");Structs§
- OAuth
State - OAuth state stored in the state parameter
Functions§
- generate_
nonce - Generate a cryptographically secure random nonce
- sign_
state - Sign OAuth state parameter with HMAC-SHA256 to prevent tampering
- verify_
state - Verify and decode signed OAuth state parameter