| Subject: | Net::Linkedin::OAuth2 implementation question |
| Date: | Tue, 2 Feb 2016 16:11:08 +0000 |
| To: | bug-Net-Linkedin-OAuth2 [...] rt.cpan.org |
| From: | Steven Cotton <steven [...] cotton.dk> |
Hi,
I was reading the docs for your module but didn't notice a nonce mentioned,
so I looked in the source.
When you create the auth URL I notice you're using a state of rand(), which
is ok, but that isn't returned to the caller. Usually I would store that
either locally or encrypted in in a cookie, such that when LinkedIn
redirect the user back to redirect_uri, that state value is also passed in
so it can be compared to the original and determine whether there's a CSRF
in progress or not.
Is it possible you fancy adding that functionality? I think at the moment
it's vulnerable to CSRF, isn't it?
As an aside, I don't suppose you've had any success authenticating users
against LinkedIn? I've seen both a non-standard OAuth2 implementation, and
weird behaviour their end, almost as if there's a delay of minutes until a
returned token is deemed valid, making the entire process useless. On top
of that, when I've contacted LinkedIn about it, they pointed me toward
StackOverflow!
Thanks,
Steve Cotton