---
title: Protect OAuth Code Flow Vs CSRF
impact: HIGH
impactDescription: prevents OAuth authorization code theft
tags: oauth, csrf, state, authorization, security, csharp
---

## Protect OAuth Code Flow Vs CSRF

OAuth flows must use the `state` parameter to prevent CSRF attacks. ASP.NET Core Authentication handlers do this by default, but custom implementations often miss it.

**Incorrect (manual implementation without state):**

```csharp
public IActionResult LoginWithGoogle()
{
    var url = $"https://accounts.google.com/o/oauth2/auth?client_id={ClientId}&redirect_uri={RedirectUri}";
    return Redirect(url); // No state parameter!
}
```

**Correct (using library or state):**

```csharp
// Preferred: Use built-in libraries
services.AddAuthentication().AddGoogle(options => 
{
    options.ClientId = "...";
    options.ClientSecret = "...";
    // Correlation Cookie & State handles CSRF automatically
});

// Manual implementation:
public IActionResult LoginWithGoogle()
{
    var state = GenerateRandomState();
    HttpContext.Session.SetString("oauth_state", state);
    
    var url = $"https://...&state={state}";
    return Redirect(url);
}

public IActionResult Callback(string code, string state)
{
    if (state != HttpContext.Session.GetString("oauth_state"))
    {
        return BadRequest("Invalid state");
    }
    // ...
}
```

**Tools:** ASP.NET Security Providers, Manual Review
