Security issue: state parameter missing in redirect URL

[islamazhar]

Hi,

I am a bit concern while using the projects's code for my own microservice because I noticed that the state parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].

The following code snippet is what I am talking about which is from getAccessToken method in ApiController rest controller class where parameters of the redirect URL such as code, grant_type, redirect_uri, scope are constructed.

The following code snippet is from
sso-client-demo/sso-client-proxy-demo/src/main/java/com/carl/auth/client/demo/proxy/controller/AccessTokenController.java

    map.add(OAuthConstants.CLIENT_ID, client_id);
    map.add(OAuthConstants.CLIENT_SECRET, client_secret);
    map.add(OAuthConstants.CODE, code);
    map.add(OAuthConstants.REDIRECT_URI, redirect_uri);
    map.add(OAuthConstants.GRANT_TYPE, authorization_code);

I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.

References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery