State Parameter & CSRF

Have you heard of Cross-Site Request Forgery (CSRF)? It's a type of attack where an attacker tricks a user's web browser into performing an unwanted action on a trusted site where the user is currently authenticated.

Think of it as someone forging your signature on a document you didn't intend to sign, leveraging your existing trust with the recipient.

In OAuth2, a CSRF attack could be dangerous. An attacker might trick a user into clicking a malicious link that initiates an OAuth2 flow to an attacker-controlled application.

If the user is logged into the Authorization Server and grants access, the Authorization Code could be sent to the attacker's client instead of the legitimate one, compromising the user's data.