Merge commit from fork

Fix CSRF issue with starlette client

Author: lepture

authlib/integrations/starlette_client/apps.py

@@ -14,11 +14,7 @@ class StarletteAppMixin:
     async def save_authorize_data(self, request, **kwargs):
         state = kwargs.pop("state", None)
         if state:
-            if self.framework.cache:
-                session = None
-            else:
-                session = request.session
-            await self.framework.set_state_data(session, state, kwargs)
+            await self.framework.set_state_data(request.session, state, kwargs)
         else:
             raise RuntimeError("Missing state value")
 
@@ -80,13 +76,10 @@ async def authorize_access_token(self, request, **kwargs):
                     "state": form.get("state"),
                 }
 
-        if self.framework.cache:
-            session = None
-        else:
-            session = request.session
-
-        state_data = await self.framework.get_state_data(session, params.get("state"))
-        await self.framework.clear_state_data(session, params.get("state"))
+        state_data = await self.framework.get_state_data(
+            request.session, params.get("state")
+        )
+        await self.framework.clear_state_data(request.session, params.get("state"))
         params = self._format_state_params(state_data, params)
 
         claims_options = kwargs.pop("claims_options", None)

authlib/integrations/starlette_client/integration.py

@@ -22,6 +22,10 @@ async def get_state_data(
     ) -> dict[str, Any]:
         key = f"_state_{self.name}_{state}"
         if self.cache:
+            # require a session-bound marker to prove the callback originates
+            # from the user-agent that started the flow (RFC 6749 §10.12)
+            if session is None or session.get(key) is None:
+                return None
             value = await self._get_cache_data(key)
         elif session is not None:
             value = session.get(key)
@@ -37,21 +41,27 @@ async def set_state_data(
     ):
         key_prefix = f"_state_{self.name}_"
         key = f"{key_prefix}{state}"
+        now = time.time()
         if self.cache:
             await self.cache.set(key, json.dumps({"data": data}), self.expires_in)
+            if session is not None:
+                # clear old state data to avoid session size growing
+                for old_key in list(session.keys()):
+                    if old_key.startswith(key_prefix):
+                        session.pop(old_key)
+                session[key] = {"exp": now + self.expires_in}
         elif session is not None:
             # clear old state data to avoid session size growing
             for old_key in list(session.keys()):
                 if old_key.startswith(key_prefix):
                     session.pop(old_key)
-            now = time.time()
             session[key] = {"data": data, "exp": now + self.expires_in}
 
     async def clear_state_data(self, session: Optional[dict[str, Any]], state: str):
         key = f"_state_{self.name}_{state}"
         if self.cache:
             await self.cache.delete(key)
-        elif session is not None:
+        if session is not None:
             session.pop(key, None)
             self._clear_session_state(session)
 

docs/changelog.rst

@@ -6,6 +6,14 @@ Changelog
 
 Here you can see the full list of changes between each Authlib release.
 
+Version 1.6.11
+--------------
+
+**Released on Apr 15, 2026**
+
+- Fix CSRF vulnerability in the Starlette OAuth client when a ``cache`` is
+  configured.
+
 Version 1.6.10
 --------------
 

tests/clients/test_starlette/test_oauth_client.py

@@ -118,6 +118,66 @@ async def test_oauth2_authorize():
     assert token["access_token"] == "a"
 
 
+class _FakeAsyncCache:
+    """Minimal async cache implementing the authlib framework cache protocol."""
+
+    def __init__(self):
+        self.store = {}
+
+    async def get(self, key):
+        return self.store.get(key)
+
+    async def set(self, key, value, expires=None):
+        self.store[key] = value
+
+    async def delete(self, key):
+        self.store.pop(key, None)
+
+
+@pytest.mark.asyncio
+async def test_oauth2_authorize_csrf_with_cache():
+    """When a cache is configured, the state must still be bound to the
+    session that initiated the flow. Otherwise an attacker can start an
+    authorization request, stop before the callback, and trick a victim into
+    completing the flow — logging the victim into the attacker's account
+    (RFC 6749 §10.12)."""
+    transport = ASGITransport(
+        AsyncPathMapDispatch({"/token": {"body": get_bearer_token()}})
+    )
+    oauth = OAuth(cache=_FakeAsyncCache())
+    client = oauth.register(
+        "dev",
+        client_id="dev",
+        client_secret="dev",
+        api_base_url="https://resource.test/api",
+        access_token_url="https://provider.test/token",
+        authorize_url="https://provider.test/authorize",
+        client_kwargs={
+            "transport": transport,
+        },
+    )
+
+    # Attacker initiates an auth flow from their own session.
+    attacker_req = Request({"type": "http", "session": {}})
+    resp = await client.authorize_redirect(attacker_req, "https://client.test/callback")
+    assert resp.status_code == 302
+    url = resp.headers.get("Location")
+    state = dict(url_decode(urlparse.urlparse(url).query))["state"]
+
+    # Victim is tricked into hitting the callback URL. The victim's browser
+    # carries a *different* session — they never initiated this flow.
+    victim_req = Request(
+        {
+            "type": "http",
+            "path": "/",
+            "query_string": f"code=a&state={state}".encode(),
+            "session": {},
+        }
+    )
+    with pytest.raises(OAuthError):
+        await client.authorize_access_token(victim_req)
+
+
 @pytest.mark.asyncio
 async def test_oauth2_authorize_access_denied():
     oauth = OAuth()