Spring Social Facebook: "The OAuth2 'state' parameter doesn't match"
The state parameter prevents CSRF attacks in OAuth2.
The idea being:
- Your app adds a
stateparameter to the request that it makes to the authentication server (in this case, Facebook) - The authentication server echoes the exact value of that
stateparameter back to you in the response - You then check to see if they match up
It sounds pointless... but it prevents attackers from making your client app action requests that it didn't initiate.
This covers it in great detail:
http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oauth2.html
Spring Social handles all this for you: generating a new random state for every request, and automatically attempting to match it to the value in the response.
So you can't prevent it:, and you don't want to: these might be genuine failed attack attempts - and in those cases, you want this error to happen.
For the cases you've posted, it could just be buggy handling of the state parameter by Spring Social, or by Facebook's authentication servers.
But, for your part, you should handle the exception as if it were a genuine attack attempt: log warnings / alert people / etc.
This function simply generates a state value String (by default UUID.randomUUID().toString() ), places it in the session and passes it to the provider as a "state" parameter in the authorization request. The provider is expected to pass it back on the callback. If the stored state matches the one in the callback, then we are good. If they don`t match, that is when you see the exception that you mentioned there.
This is just supposed to work, but yes I see that you are having problems here.I also found this link that might be worth a look : https://github.com/spring-projects/spring-social-facebook/issues/103