diff --git a/server/modules/authentication/oauth2/authentication.js b/server/modules/authentication/oauth2/authentication.js index f40fb395e5..7be57f7463 100644 --- a/server/modules/authentication/oauth2/authentication.js +++ b/server/modules/authentication/oauth2/authentication.js @@ -19,7 +19,7 @@ module.exports = { callbackURL: conf.callbackURL, passReqToCallback: true, scope: conf.scope, - state: true + state: conf.enableCSRFProtection }, async (req, accessToken, refreshToken, profile, cb) => { try { const user = await WIKI.models.users.processProfile({ diff --git a/server/modules/authentication/oauth2/definition.yml b/server/modules/authentication/oauth2/definition.yml index 0621aa3922..45c1918383 100644 --- a/server/modules/authentication/oauth2/definition.yml +++ b/server/modules/authentication/oauth2/definition.yml @@ -70,3 +70,9 @@ props: title: Pass access token via GET query string to User Info Endpoint hint: (optional) Pass the access token in an `access_token` parameter attached to the GET query string of the User Info Endpoint URL. Otherwise the access token will be passed in the Authorization header. order: 11 + enableCSRFProtection: + type: Boolean + default: true + title: Enable CSRF protection + hint: Pass a nonce state parameter during authentication to protect against CSRF attacks. + order: 12