I implemented the Google OAuth2 login for different Google services a couple of times now, but I never thought about how the state token can be abused if the token is not included.
I understand the principles of CSRF, and I implemented my OAuth2 streams as described in https://developers.google.com/accounts/docs/OAuth2Login (with a session token in a state token), I just don’t see how an attacker can abuse it. if there is no session token.
Perhaps this is due to what I do after a successful response from the Google consent page (I get the update + access token, save them to the user specified in the status token, and redirect to another page also indicated in the status token) but how is this a problem otherwise?
source
share