Is protection against CSRF really needed in client with oauth2Login?

[ASarco]

Regarding your article in Baeldung, I see that you configure csrf in the client BFF. But do we really need CSRF here?
If the session cookie is http-only and restricted to the domain of the BFF, I think it's impossible that an attacker can be authenticated in another site, because they will never get the session cookie. Am I correct or is there something I'm not seeing?

[ch4mpy]

Session cookies are credentials and should be flagged HttpOnly to protect against XSS attacks. The ability to use HttpOnly credentials is a key advantage of the Oauth2 BFF pattern over frontends configured as public OAuth2 clients, with which credentials (tokens) are exposed to application code.

SameSite helps protect against CSRF - an attacker doesn't need to access the session cookie to run a CSRF attack, the browser attaching this cookie to a cross-origin request is enough - but still, it is possible for a CSRF attack to be same-site. Please Google "Can a CSRF attack be SameSite?" for details. I find this article which is usually one of the 1st results, pretty informative and synthetic.

So, session cookies should be flagged HttpOnly and SameSite - as done by default by Spring Security - and yes, CSRF protection should be activated in security filter chains relying on sessions, which is the case when oauth2Login is used.

[ASarco]

Hey, thanks for your response!
Yeah, I was more referring to the session cookie domain. My reasoning is if the session cookie domain is set to goodguys.com, there's no way it can be read by, for example, badguys.com , therefore no one from other domain will be able to authenticate. I know that an app running on a subdomain of goodguys.com might have other vulnerabilities, but what if that's not the case?

[ch4mpy]

there's no way it can be read by, for example, badguys.com

As I wrote above an attacker doesn't need to read the session cookie to run a CSRF attack.

Just read the article I linked, along with a few other results from your favorite search engine with the sentence I put above. I won't write such an article here.

Now, what if all users only have best intentions, do no mistakes, and badguys keep away from your app? Well, you can disable all security (not just CSRF). I do not have this chance and will keep CSRF protection enabled.