✨ 全面开启state校验

80329c24 · 智布道 · 78988555 · 80329c24 · 80329c24 · 80329c24
23 changed file
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 </p>
 <p align="center">
 	<a target="_blank" href="https://search.maven.org/search?q=JustAuth">
-		<img src="https://img.shields.io/badge/Maven Central-1.7.1-blue.svg" ></img>
+		<img src="https://img.shields.io/badge/Maven Central-1.8.0-blue.svg" ></img>
 	</a>
 	<a target="_blank" href="https://gitee.com/yadong.zhang/JustAuth/blob/master/LICENSE">
 		<img src="https://img.shields.io/apm/l/vim-mode.svg?color=yellow" ></img>
@@ -15,7 +15,7 @@
 		<img src="https://img.shields.io/badge/JDK-1.8+-green.svg" ></img>
 	</a>
 	<a target="_blank" href="https://apidoc.gitee.com/yadong.zhang/JustAuth/">
-		<img src="https://img.shields.io/badge/Docs-1.7.0-orange.svg" ></img>
+		<img src="https://img.shields.io/badge/Docs-1.8.0-orange.svg" ></img>
 	</a>
 </p>

@@ -68,7 +68,7 @@ JustAuth，如你所见，它仅仅是一个**第三方授权登录**的**工具
 <dependency>
    <groupId>me.zhyd.oauth</groupId>
    <artifactId>JustAuth</artifactId>
-    <version>1.7.1</version>
+    <version>1.8.0</version>
 </dependency>
 ```
 - 调用api
@@ -81,10 +81,12 @@ AuthRequest authRequest = new AuthGiteeRequest(AuthConfig.builder()
        .build());
 // 生成授权页面
 authRequest.authorize();
-// 授权登录后会返回一个code，用这个code进行登录
-authRequest.login("code");
+// 授权登录后会返回code（auth_code（仅限支付宝））、state，1.8.0版本后，可以用AuthCallback类作为回调接口的参数
+authRequest.login(callback);
 ```

+注：`1.8.0`版本后，增加了`state`参数校验，用于防止[CSRF](https://zh.wikipedia.org/wiki/%E8%B7%A8%E7%AB%99%E8%AF%B7%E6%B1%82%E4%BC%AA%E9%80%A0)。强烈建议，保证单次流程内`state`的唯一性，且每个`state`只可用一次。
+
 **配套Demo**：[JustAuth-demo](https://gitee.com/yadong.zhang/JustAuth-demo)

 具体的例子可以参考：
@@ -99,12 +101,12 @@ authRequest.login("code");
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/github.png" width="20">  |  [AuthGithubRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java)  |  <a href="https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/" target="_blank">参考文档</a> |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/weibo.png" width="20">  |  [AuthWeiboRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java)  |  <a href="https://open.weibo.com/wiki/%E6%8E%88%E6%9D%83%E6%9C%BA%E5%88%B6%E8%AF%B4%E6%98%8E" target="_blank">参考文档</a>  |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/dingtalk.png" width="20">  |  [AuthDingTalkRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java)  |  <a href="https://open-doc.dingtalk.com/microapp/serverapi2/kymkv6" target="_blank">参考文档</a>  |
-|  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/baidu.png" width="20">  |  [AuthBaiduRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java)  |  <a href="https://developer.baidu.com/" target="_blank">参考文档</a>  |
+|  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/baidu.png" width="20">  |  [AuthBaiduRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java)  |  <a href="http://developer.baidu.com/wiki/index.php?title=docs/oauth" target="_blank">参考文档</a>  |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/coding.png" width="25">  |  [AuthCodingRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthCodingRequest.java)  |  <a href="https://open.coding.net/references/oauth/" target="_blank">参考文档</a> |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/tencentCloud.png" width="25">  |  [AuthTencentCloudRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthTencentCloudRequest.java)  |  <a href="https://dev.tencent.com/help/doc/faq/b4e5b7aee786/oauth" target="_blank">参考文档</a> |
-|  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/oschina.png" width="20">  |  [AuthOschinaRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthOschinaRequest.java)  |  <a href="https://www.oschina.net/openapi/docs/openapi_user" target="_blank">参考文档</a> |
+|  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/oschina.png" width="20">  |  [AuthOschinaRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthOschinaRequest.java)  |  <a href="https://www.oschina.net/openapi/docs/oauth2_authorize" target="_blank">参考文档</a> |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/alipay.png" width="20">  |  [AuthAlipayRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthAlipayRequest.java)  |  <a href="https://alipay.open.taobao.com/docs/doc.htm?spm=a219a.7629140.0.0.336d4b70GUKXOl&treeId=193&articleId=105809&docType=1" target="_blank">参考文档</a> |
-|  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/qq.png" width="20">  |  [AuthQqRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthQqRequest.java)  |  <a href="http://wiki.connect.qq.com/" target="_blank">参考文档</a>  |
+|  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/qq.png" width="20">  |  [AuthQqRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthQqRequest.java)  |  <a href="https://wiki.connect.qq.com/%E4%BD%BF%E7%94%A8authorization_code%E8%8E%B7%E5%8F%96access_token" target="_blank">参考文档</a>  |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/wechat.png" width="20">  |  [AuthWeChatRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthWeChatRequest.java)   |  <a href="https://open.weixin.qq.com/cgi-bin/showdocument?action=dir_list&t=resource/res_list&verify=1&id=open1419316505&token=&lang=zh_CN" target="_blank">参考文档</a>  |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/taobao.png" width="20">  |  [AuthTaobaoRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthTaobaoRequest.java)   |  <a href="https://open.taobao.com/doc.htm?spm=a219a.7386797.0.0.4e00669acnkQy6&source=search&docId=105590&docType=1" target="_blank">参考文档</a>  |
 |  <img src="https://gitee.com/yadong.zhang/static/raw/master/JustAuth/google.png" width="20">  |  [AuthGoogleRequest](https://gitee.com/yadong.zhang/JustAuth/blob/master/src/main/java/me/zhyd/oauth/request/AuthGoogleRequest.java)   |  <a href="https://developers.google.com/identity/protocols/OpenIDConnect" target="_blank">参考文档</a>  |

--- a/src/main/java/me/zhyd/oauth/model/AuthUser.java
+++ b/src/main/java/me/zhyd/oauth/model/AuthUser.java
@@ -17,6 +17,10 @@ import me.zhyd.oauth.config.AuthSource;
 @Setter
 @Builder
 public class AuthUser {
+    /**
+     * 用户第三方系统的唯一id。在调用方集成改组件时，可以用uuid + source唯一确定一个用户
+     */
+    private String uuid;
    /**
     * 用户名
     */
@@ -61,8 +65,4 @@ public class AuthUser {
     * 用户授权的token信息
     */
    private AuthToken token;
-    /**
-     * 用户第三方系统的唯一id。在调用方集成改组件时，可以用uuid + source唯一确定一个用户
-     */
-    private String uuid;
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthAlipayRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthAlipayRequest.java
@@ -38,12 +38,12 @@ public class AuthAlipayRequest extends BaseAuthRequest {
    protected AuthToken getAccessToken(AuthCallback authCallback) {
        AlipaySystemOauthTokenRequest request = new AlipaySystemOauthTokenRequest();
        request.setGrantType("authorization_code");
-        request.setCode(authCallback.getCode());
+        request.setCode(authCallback.getAuth_code());
        AlipaySystemOauthTokenResponse response = null;
        try {
            response = this.alipayClient.execute(request);
        } catch (Exception e) {
-            throw new AuthException("Unable to get token from alipay using code [" + authCallback.getCode() + "]", e);
+            throw new AuthException("Unable to get token from alipay using code [" + authCallback.getAuth_code() + "]", e);
        }
        if (!response.isSuccess()) {
            throw new AuthException(response.getSubMsg());
@@ -93,6 +93,6 @@ public class AuthAlipayRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getAlipayAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getAlipayAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
@@ -67,7 +67,7 @@ public class AuthBaiduRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getBaiduAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getBaiduAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    @Override

--- a/src/main/java/me/zhyd/oauth/request/AuthCodingRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthCodingRequest.java
@@ -33,7 +33,11 @@ public class AuthCodingRequest extends BaseAuthRequest {
        if (accessTokenObject.getIntValue("code") != 0) {
            throw new AuthException("Unable to get token from coding using code [" + authCallback.getCode() + "]");
        }
-        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
+        return AuthToken.builder()
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
+                .build();
    }

    @Override
@@ -69,6 +73,6 @@ public class AuthCodingRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getCodingAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getCodingAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthCsdnRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthCsdnRequest.java
@@ -63,6 +63,6 @@ public class AuthCsdnRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getCsdnAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getCsdnAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
@@ -67,6 +67,6 @@ public class AuthDingTalkRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getDingTalkQrConnectUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getDingTalkQrConnectUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthDouyinRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthDouyinRequest.java
@@ -58,7 +58,7 @@ public class AuthDouyinRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getDouyinAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getDouyinAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    @Override

--- a/src/main/java/me/zhyd/oauth/request/AuthFacebookRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthFacebookRequest.java
@@ -30,16 +30,16 @@ public class AuthFacebookRequest extends BaseAuthRequest {
        String accessTokenUrl = UrlBuilder.getFacebookAccessTokenUrl(config.getClientId(), config.getClientSecret(),
                authCallback.getCode(), config.getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
-        JSONObject object = JSONObject.parseObject(response.body());
+        JSONObject accessTokenObject = JSONObject.parseObject(response.body());

-        if (object.containsKey("error")) {
-            throw new AuthException(object.getJSONObject("error").getString("message"));
+        if (accessTokenObject.containsKey("error")) {
+            throw new AuthException(accessTokenObject.getJSONObject("error").getString("message"));
        }

        return AuthToken.builder()
-                .accessToken(object.getString("access_token"))
-                .expireIn(object.getIntValue("expires_in"))
-                .tokenType(object.getString("token_type"))
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .tokenType(accessTokenObject.getString("token_type"))
                .build();
    }

@@ -80,6 +80,6 @@ public class AuthFacebookRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getFacebookAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getFacebookAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthGoogleRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthGoogleRequest.java
@@ -30,19 +30,19 @@ public class AuthGoogleRequest extends BaseAuthRequest {
        String accessTokenUrl = UrlBuilder.getGoogleAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config
                .getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
-        JSONObject object = JSONObject.parseObject(response.body());
+        JSONObject accessTokenObject = JSONObject.parseObject(response.body());

-        if (object.containsKey("error") || object.containsKey("error_description")) {
-            throw new AuthException("get google access_token has error:[" + object.getString("error") + "], error_description:[" + object
+        if (accessTokenObject.containsKey("error") || accessTokenObject.containsKey("error_description")) {
+            throw new AuthException("get google access_token has error:[" + accessTokenObject.getString("error") + "], error_description:[" + accessTokenObject
                    .getString("error_description") + "]");
        }

        return AuthToken.builder()
-                .accessToken(object.getString("access_token"))
-                .expireIn(object.getIntValue("expires_in"))
-                .scope(object.getString("scope"))
-                .tokenType(object.getString("token_type"))
-                .idToken(object.getString("id_token"))
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .scope(accessTokenObject.getString("scope"))
+                .tokenType(accessTokenObject.getString("token_type"))
+                .idToken(accessTokenObject.getString("id_token"))
                .build();
    }

@@ -72,6 +72,6 @@ public class AuthGoogleRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getGoogleAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getGoogleAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthLinkedinRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthLinkedinRequest.java
@@ -93,7 +93,7 @@ public class AuthLinkedinRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getLinkedinAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getLinkedinAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    private String getUserEmail(String accessToken) {

--- a/src/main/java/me/zhyd/oauth/request/AuthMiRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthMiRequest.java
@@ -35,21 +35,21 @@ public class AuthMiRequest extends BaseAuthRequest {
    private AuthToken getToken(String accessTokenUrl) {
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
        String jsonStr = StrUtil.replace(response.body(), PREFIX, StrUtil.EMPTY);
-        JSONObject object = JSONObject.parseObject(jsonStr);
+        JSONObject accessTokenObject = JSONObject.parseObject(jsonStr);

-        if (object.containsKey("error")) {
-            throw new AuthException(object.getString("error_description"));
+        if (accessTokenObject.containsKey("error")) {
+            throw new AuthException(accessTokenObject.getString("error_description"));
        }

        return AuthToken.builder()
-                .accessToken(object.getString("access_token"))
-                .expireIn(object.getIntValue("expires_in"))
-                .scope(object.getString("scope"))
-                .tokenType(object.getString("token_type"))
-                .refreshToken(object.getString("refresh_token"))
-                .openId(object.getString("openId"))
-                .macAlgorithm(object.getString("mac_algorithm"))
-                .macKey(object.getString("mac_key"))
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .scope(accessTokenObject.getString("scope"))
+                .tokenType(accessTokenObject.getString("token_type"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
+                .openId(accessTokenObject.getString("openId"))
+                .macAlgorithm(accessTokenObject.getString("mac_algorithm"))
+                .macKey(accessTokenObject.getString("mac_key"))
                .build();
    }

@@ -98,7 +98,7 @@ public class AuthMiRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getMiAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getMiAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    /**

--- a/src/main/java/me/zhyd/oauth/request/AuthMicrosoftRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthMicrosoftRequest.java
@@ -48,16 +48,16 @@ public class AuthMicrosoftRequest extends BaseAuthRequest {
                .form(paramMap)
                .execute();
        String accessTokenStr = response.body();
-        JSONObject object = JSONObject.parseObject(accessTokenStr);
+        JSONObject accessTokenObject = JSONObject.parseObject(accessTokenStr);

-        this.checkResponse(object);
+        this.checkResponse(accessTokenObject);

        return AuthToken.builder()
-                .accessToken(object.getString("access_token"))
-                .expireIn(object.getIntValue("expires_in"))
-                .scope(object.getString("scope"))
-                .tokenType(object.getString("token_type"))
-                .refreshToken(object.getString("refresh_token"))
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .scope(accessTokenObject.getString("scope"))
+                .tokenType(accessTokenObject.getString("token_type"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
                .build();
    }

@@ -96,7 +96,7 @@ public class AuthMicrosoftRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getMicrosoftAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getMicrosoftAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    /**

--- a/src/main/java/me/zhyd/oauth/request/AuthOschinaRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthOschinaRequest.java
@@ -34,7 +34,12 @@ public class AuthOschinaRequest extends BaseAuthRequest {
        if (accessTokenObject.containsKey("error")) {
            throw new AuthException("Unable to get token from oschina using code [" + authCallback.getCode() + "]");
        }
-        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
+        return AuthToken.builder()
+                .accessToken(accessTokenObject.getString("access_token"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
+                .uid(accessTokenObject.getString("uid"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .build();
    }

    @Override
@@ -66,6 +71,6 @@ public class AuthOschinaRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getOschinaAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getOschinaAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthQqRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthQqRequest.java
@@ -81,7 +81,7 @@ public class AuthQqRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getQqAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getQqAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    private String getOpenId(AuthToken authToken) {

--- a/src/main/java/me/zhyd/oauth/request/AuthTaobaoRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthTaobaoRequest.java
@@ -36,19 +36,19 @@ public class AuthTaobaoRequest extends BaseAuthRequest {
        String accessCode = authToken.getAccessCode();
        HttpResponse response = HttpRequest.post(UrlBuilder.getTaobaoAccessTokenUrl(this.config.getClientId(), this.config
                .getClientSecret(), accessCode, this.config.getRedirectUri())).execute();
-        JSONObject object = JSONObject.parseObject(response.body());
-        if (object.containsKey("error")) {
-            throw new AuthException(ResponseStatus.FAILURE + ":" + object.getString("error_description"));
+        JSONObject accessTokenObject = JSONObject.parseObject(response.body());
+        if (accessTokenObject.containsKey("error")) {
+            throw new AuthException(ResponseStatus.FAILURE + ":" + accessTokenObject.getString("error_description"));
        }
-        authToken.setAccessToken(object.getString("access_token"));
-        authToken.setRefreshToken(object.getString("refresh_token"));
-        authToken.setExpireIn(object.getIntValue("expires_in"));
-        authToken.setUid(object.getString("taobao_user_id"));
-        authToken.setOpenId(object.getString("taobao_open_uid"));
+        authToken.setAccessToken(accessTokenObject.getString("access_token"));
+        authToken.setRefreshToken(accessTokenObject.getString("refresh_token"));
+        authToken.setExpireIn(accessTokenObject.getIntValue("expires_in"));
+        authToken.setUid(accessTokenObject.getString("taobao_user_id"));
+        authToken.setOpenId(accessTokenObject.getString("taobao_open_uid"));

-        String nick = GlobalAuthUtil.urlDecode(object.getString("taobao_user_nick"));
+        String nick = GlobalAuthUtil.urlDecode(accessTokenObject.getString("taobao_user_nick"));
        return AuthUser.builder()
-                .uuid(object.getString("taobao_user_id"))
+                .uuid(accessTokenObject.getString("taobao_user_id"))
                .username(nick)
                .nickname(nick)
                .gender(AuthUserGender.UNKNOW)
@@ -64,6 +64,6 @@ public class AuthTaobaoRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getTaobaoAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getTaobaoAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthTencentCloudRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthTencentCloudRequest.java
@@ -29,11 +29,15 @@ public class AuthTencentCloudRequest extends BaseAuthRequest {
    protected AuthToken getAccessToken(AuthCallback authCallback) {
        String accessTokenUrl = UrlBuilder.getTencentCloudAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
-        JSONObject object = JSONObject.parseObject(response.body());
-        if (object.getIntValue("code") != 0) {
-            throw new AuthException("Unable to get token from tencent cloud using code [" + authCallback.getCode() + "]: " + object.get("msg"));
+        JSONObject accessTokenObject = JSONObject.parseObject(response.body());
+        if (accessTokenObject.getIntValue("code") != 0) {
+            throw new AuthException("Unable to get token from tencent cloud using code [" + authCallback.getCode() + "]: " + accessTokenObject.get("msg"));
        }
-        return AuthToken.builder().accessToken(object.getString("access_token")).build();
+        return AuthToken.builder()
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
+                .build();
    }

    @Override
@@ -68,6 +72,6 @@ public class AuthTencentCloudRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getTencentCloudAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getTencentCloudAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthToutiaoRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthToutiaoRequest.java
@@ -26,16 +26,16 @@ public class AuthToutiaoRequest extends BaseAuthRequest {
    protected AuthToken getAccessToken(AuthCallback authCallback) {
        String accessTokenUrl = UrlBuilder.getToutiaoAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
-        JSONObject object = JSONObject.parseObject(response.body());
+        JSONObject accessTokenObject = JSONObject.parseObject(response.body());

-        if (object.containsKey("error_code")) {
-            throw new AuthException(AuthToutiaoErrorCode.getErrorCode(object.getIntValue("error_code")).getDesc());
+        if (accessTokenObject.containsKey("error_code")) {
+            throw new AuthException(AuthToutiaoErrorCode.getErrorCode(accessTokenObject.getIntValue("error_code")).getDesc());
        }

        return AuthToken.builder()
-                .accessToken(object.getString("access_token"))
-                .expireIn(object.getIntValue("expires_in"))
-                .openId(object.getString("open_id"))
+                .accessToken(accessTokenObject.getString("access_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .openId(accessTokenObject.getString("open_id"))
                .build();
    }

@@ -73,6 +73,6 @@ public class AuthToutiaoRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getToutiaoAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getToutiaoAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthWeChatRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthWeChatRequest.java
@@ -24,7 +24,7 @@ public class AuthWeChatRequest extends BaseAuthRequest {
    /**
     * 微信的特殊性，此时返回的信息同时包含 openid 和 access_token
     *
-     * @param code 授权码
+     * @param authCallback 回调返回的参数
     * @return 所有信息
     */
    @Override
@@ -63,7 +63,7 @@ public class AuthWeChatRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getWeChatAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getWeChatAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }

    @Override
@@ -94,15 +94,15 @@ public class AuthWeChatRequest extends BaseAuthRequest {
     */
    private AuthToken getToken(String accessTokenUrl) {
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
-        JSONObject object = JSONObject.parseObject(response.body());
+        JSONObject accessTokenObject = JSONObject.parseObject(response.body());

-        this.checkResponse(object);
+        this.checkResponse(accessTokenObject);

        return AuthToken.builder()
-                .accessToken(object.getString("access_token"))
-                .refreshToken(object.getString("refresh_token"))
-                .expireIn(object.getIntValue("expires_in"))
-                .openId(object.getString("openid"))
+                .accessToken(accessTokenObject.getString("access_token"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .openId(accessTokenObject.getString("openid"))
                .build();
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/BaseAuthRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/BaseAuthRequest.java
@@ -37,7 +37,7 @@ public abstract class BaseAuthRequest implements AuthRequest {
    @Override
    public AuthResponse login(AuthCallback authCallback) {
        try {
-            AuthChecker.checkCode(authCallback.getCode());
+            AuthChecker.checkCode(source == AuthSource.ALIPAY ? authCallback.getAuth_code() : authCallback.getCode());
            AuthChecker.checkState(authCallback.getState(), config.getState());

            AuthToken authToken = this.getAccessToken(authCallback);

--- a/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
+++ b/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
@@ -29,31 +29,31 @@ public class UrlBuilder {
    private static final String GITEE_USER_INFO_PATTERN = "{0}?access_token={1}";
    private static final String GITEE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}";

-    private static final String DING_TALK_QRCONNECT_PATTERN = "{0}?appid={1}&response_type=code&scope=snsapi_login&state=STATE&redirect_uri={2}";
+    private static final String DING_TALK_QRCONNECT_PATTERN = "{0}?appid={1}&response_type=code&scope=snsapi_login&redirect_uri={2}&state={3}";
    private static final String DING_TALK_USER_INFO_PATTERN = "{0}?signature={1}&timestamp={2}&accessKey={3}";

    private static final String BAIDU_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
    private static final String BAIDU_USER_INFO_PATTERN = "{0}?access_token={1}";
-    private static final String BAIDU_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&display=popup";
+    private static final String BAIDU_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&display=popup&state={3}";
    private static final String BAIDU_REVOKE_PATTERN = "{0}?access_token={1}";

    private static final String CSDN_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
    private static final String CSDN_USER_INFO_PATTERN = "{0}?access_token={1}";
-    private static final String CSDN_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}";
+    private static final String CSDN_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}";

    private static final String CODING_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}";
    private static final String CODING_USER_INFO_PATTERN = "{0}?access_token={1}";
-    private static final String CODING_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&scope=user";
+    private static final String CODING_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&scope=user&state={3}";

    private static final String TENCENT_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}";
    private static final String TENCENT_USER_INFO_PATTERN = "{0}?access_token={1}";
-    private static final String TENCENT_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&scope=user";
+    private static final String TENCENT_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&scope=user&state={3}";

    private static final String OSCHINA_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}&dataType=json";
    private static final String OSCHINA_USER_INFO_PATTERN = "{0}?access_token={1}&dataType=json";
-    private static final String OSCHINA_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}";
+    private static final String OSCHINA_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}";

-    private static final String ALIPAY_AUTHORIZE_PATTERN = "{0}?app_id={1}&scope=auth_user&redirect_uri={2}&state=init";
+    private static final String ALIPAY_AUTHORIZE_PATTERN = "{0}?app_id={1}&scope=auth_user&redirect_uri={2}&state={3}";

    private static final String QQ_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
    private static final String QQ_USER_INFO_PATTERN = "{0}?oauth_consumer_key={1}&access_token={2}&openid={3}";
@@ -215,10 +215,11 @@ public class UrlBuilder {
     *
     * @param clientId    钉钉 应用的App Id
     * @param redirectUrl 钉钉 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getDingTalkQrConnectUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(DING_TALK_QRCONNECT_PATTERN, AuthSource.DINGTALK.authorize(), clientId, redirectUrl);
+    public static String getDingTalkQrConnectUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(DING_TALK_QRCONNECT_PATTERN, AuthSource.DINGTALK.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -261,10 +262,11 @@ public class UrlBuilder {
     *
     * @param clientId    baidu 应用的API Key
     * @param redirectUrl baidu 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return json
     */
-    public static String getBaiduAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(BAIDU_AUTHORIZE_PATTERN, AuthSource.BAIDU.authorize(), clientId, redirectUrl);
+    public static String getBaiduAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(BAIDU_AUTHORIZE_PATTERN, AuthSource.BAIDU.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -305,10 +307,11 @@ public class UrlBuilder {
     *
     * @param clientId    csdn 应用的Client ID
     * @param redirectUrl csdn 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getCsdnAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(CSDN_AUTHORIZE_PATTERN, AuthSource.CSDN.authorize(), clientId, redirectUrl);
+    public static String getCsdnAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(CSDN_AUTHORIZE_PATTERN, AuthSource.CSDN.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -338,10 +341,11 @@ public class UrlBuilder {
     *
     * @param clientId    coding 应用的Client ID
     * @param redirectUrl coding 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getCodingAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(CODING_AUTHORIZE_PATTERN, AuthSource.CODING.authorize(), clientId, redirectUrl);
+    public static String getCodingAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(CODING_AUTHORIZE_PATTERN, AuthSource.CODING.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -371,10 +375,11 @@ public class UrlBuilder {
     *
     * @param clientId    coding 应用的Client ID
     * @param redirectUrl coding 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getTencentCloudAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(TENCENT_AUTHORIZE_PATTERN, AuthSource.TENCENT_CLOUD.authorize(), clientId, redirectUrl);
+    public static String getTencentCloudAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(TENCENT_AUTHORIZE_PATTERN, AuthSource.TENCENT_CLOUD.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -405,10 +410,11 @@ public class UrlBuilder {
     *
     * @param clientId    oschina 应用的Client ID
     * @param redirectUrl oschina 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getOschinaAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(OSCHINA_AUTHORIZE_PATTERN, AuthSource.OSCHINA.authorize(), clientId, redirectUrl);
+    public static String getOschinaAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(OSCHINA_AUTHORIZE_PATTERN, AuthSource.OSCHINA.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -441,10 +447,11 @@ public class UrlBuilder {
     *
     * @param clientId    qq 应用的Client ID
     * @param redirectUrl qq 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getQqAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(QQ_AUTHORIZE_PATTERN, AuthSource.QQ.authorize(), clientId, redirectUrl, System.currentTimeMillis());
+    public static String getQqAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(QQ_AUTHORIZE_PATTERN, AuthSource.QQ.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -464,10 +471,11 @@ public class UrlBuilder {
     *
     * @param clientId    alipay 应用的Client ID
     * @param redirectUrl alipay 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getAlipayAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(ALIPAY_AUTHORIZE_PATTERN, AuthSource.ALIPAY.authorize(), clientId, redirectUrl);
+    public static String getAlipayAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(ALIPAY_AUTHORIZE_PATTERN, AuthSource.ALIPAY.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -475,11 +483,11 @@ public class UrlBuilder {
     *
     * @param clientId    微信 应用的appid
     * @param redirectUrl 微信 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getWeChatAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(WECHAT_AUTHORIZE_PATTERN, AuthSource.WECHAT.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getWeChatAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(WECHAT_AUTHORIZE_PATTERN, AuthSource.WECHAT.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -534,11 +542,11 @@ public class UrlBuilder {
     *
     * @param clientId    Taobao 应用的Client ID
     * @param redirectUrl Taobao 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getTaobaoAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(TAOBAO_AUTHORIZE_PATTERN, AuthSource.TAOBAO.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getTaobaoAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(TAOBAO_AUTHORIZE_PATTERN, AuthSource.TAOBAO.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -546,11 +554,11 @@ public class UrlBuilder {
     *
     * @param clientId    google 应用的Client ID
     * @param redirectUrl google 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getGoogleAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(GOOGLE_AUTHORIZE_PATTERN, AuthSource.GOOGLE.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getGoogleAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(GOOGLE_AUTHORIZE_PATTERN, AuthSource.GOOGLE.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -581,11 +589,11 @@ public class UrlBuilder {
     *
     * @param clientId    Facebook 应用的Client ID
     * @param redirectUrl Facebook 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getFacebookAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(FACEBOOK_AUTHORIZE_PATTERN, AuthSource.FACEBOOK.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getFacebookAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(FACEBOOK_AUTHORIZE_PATTERN, AuthSource.FACEBOOK.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -616,11 +624,11 @@ public class UrlBuilder {
     *
     * @param clientId    Douyin 应用的Client ID
     * @param redirectUrl Douyin 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getDouyinAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(DOUYIN_AUTHORIZE_PATTERN, AuthSource.DOUYIN.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getDouyinAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(DOUYIN_AUTHORIZE_PATTERN, AuthSource.DOUYIN.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -662,11 +670,11 @@ public class UrlBuilder {
     *
     * @param clientId    Linkedin 应用的Client ID
     * @param redirectUrl Linkedin 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getLinkedinAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(LINKEDIN_AUTHORIZE_PATTERN, AuthSource.LINKEDIN.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getLinkedinAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(LINKEDIN_AUTHORIZE_PATTERN, AuthSource.LINKEDIN.authorize(), clientId, redirectUrl, state);
    }

    /**
@@ -708,11 +716,11 @@ public class UrlBuilder {
     *
     * @param clientId    微软 应用的Client ID
     * @param redirectUrl 微软 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getMicrosoftAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(MICROSOFT_AUTHORIZE_PATTERN, AuthSource.MICROSOFT.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getMicrosoftAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(MICROSOFT_AUTHORIZE_PATTERN, AuthSource.MICROSOFT.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -755,10 +763,11 @@ public class UrlBuilder {
     *
     * @param clientId    小米 应用的Client ID
     * @param redirectUrl 小米 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getMiAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(MI_AUTHORIZE_PATTERN, AuthSource.MI.authorize(), clientId, redirectUrl, System.currentTimeMillis());
+    public static String getMiAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(MI_AUTHORIZE_PATTERN, AuthSource.MI.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -803,11 +812,11 @@ public class UrlBuilder {
     *
     * @param clientId    今日头条 应用的Client ID
     * @param redirectUrl 今日头条 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getToutiaoAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(TOUTIAO_AUTHORIZE_PATTERN, AuthSource.TOUTIAO.authorize(), clientId, redirectUrl, System
-                .currentTimeMillis());
+    public static String getToutiaoAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(TOUTIAO_AUTHORIZE_PATTERN, AuthSource.TOUTIAO.authorize(), clientId, redirectUrl, getState(state));
    }

    /**

--- a/src/test/java/me/zhyd/oauth/AuthRequestTest.java
+++ b/src/test/java/me/zhyd/oauth/AuthRequestTest.java
 package me.zhyd.oauth;

 import me.zhyd.oauth.config.AuthConfig;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthResponse;
 import me.zhyd.oauth.request.*;
 import org.junit.Test;
@@ -18,11 +19,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -31,11 +33,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -48,7 +51,7 @@ public class AuthRequestTest {
        // 返回授权页面，可自行调整
        authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -57,11 +60,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -70,11 +74,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -83,11 +88,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -96,11 +102,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
    }

    @Test
@@ -109,11 +116,26 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        authRequest.login("code");
+        authRequest.login(new AuthCallback());
+    }
+
+    @Test
+    public void alipayTest() {
+        AuthRequest authRequest = new AuthAlipayRequest(AuthConfig.builder()
+                .clientId("clientId")
+                .clientSecret("clientSecret")
+                .redirectUri("redirectUri")
+                .state("state")
+                .build());
+        // 返回授权页面，可自行调整
+        String url = authRequest.authorize();
+        // 授权登录后会返回一个code，用这个code进行登录
+        AuthResponse login = authRequest.login(new AuthCallback());
    }

    @Test
@@ -122,11 +144,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        AuthResponse login = authRequest.login("code");
+        AuthResponse login = authRequest.login(new AuthCallback());
    }

    @Test
@@ -135,11 +158,26 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        AuthResponse login = authRequest.login("code");
+        AuthResponse login = authRequest.login(new AuthCallback());
+    }
+
+    @Test
+    public void taobaoTest() {
+        AuthRequest authRequest = new AuthTaobaoRequest(AuthConfig.builder()
+                .clientId("clientId")
+                .clientSecret("clientSecret")
+                .redirectUri("redirectUri")
+                .state("state")
+                .build());
+        // 返回授权页面，可自行调整
+        String url = authRequest.authorize();
+        // 授权登录后会返回一个code，用这个code进行登录
+        AuthResponse login = authRequest.login(new AuthCallback());
    }

    @Test
@@ -148,11 +186,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        AuthResponse login = authRequest.login("code");
+        AuthResponse login = authRequest.login(new AuthCallback());
    }

    @Test
@@ -161,11 +200,40 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
+                .build());
+        // 返回授权页面，可自行调整
+        String url = authRequest.authorize();
+        // 授权登录后会返回一个code，用这个code进行登录
+        AuthResponse login = authRequest.login(new AuthCallback());
+    }
+
+    @Test
+    public void douyinTest() {
+        AuthRequest authRequest = new AuthDouyinRequest(AuthConfig.builder()
+                .clientId("clientId")
+                .clientSecret("clientSecret")
+                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        AuthResponse login = authRequest.login("code");
+        AuthResponse login = authRequest.login(new AuthCallback());
+    }
+
+    @Test
+    public void linkedinTest() {
+        AuthRequest authRequest = new AuthLinkedinRequest(AuthConfig.builder()
+                .clientId("clientId")
+                .clientSecret("clientSecret")
+                .redirectUri("redirectUri")
+                .state("state")
+                .build());
+        // 返回授权页面，可自行调整
+        String url = authRequest.authorize();
+        // 授权登录后会返回一个code，用这个code进行登录
+        AuthResponse login = authRequest.login(new AuthCallback());
    }

    @Test
@@ -174,11 +242,12 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        AuthResponse login = authRequest.login("code");
+        AuthResponse login = authRequest.login(new AuthCallback());
    }

    @Test
@@ -187,10 +256,25 @@ public class AuthRequestTest {
                .clientId("clientId")
                .clientSecret("clientSecret")
                .redirectUri("redirectUri")
+                .state("state")
+                .build());
+        // 返回授权页面，可自行调整
+        String url = authRequest.authorize();
+        // 授权登录后会返回一个code，用这个code进行登录
+        AuthResponse login = authRequest.login(new AuthCallback());
+    }
+
+    @Test
+    public void toutiaoTest() {
+        AuthRequest authRequest = new AuthToutiaoRequest(AuthConfig.builder()
+                .clientId("clientId")
+                .clientSecret("clientSecret")
+                .redirectUri("redirectUri")
+                .state("state")
                .build());
        // 返回授权页面，可自行调整
        String url = authRequest.authorize();
        // 授权登录后会返回一个code，用这个code进行登录
-        AuthResponse login = authRequest.login("code");
+        AuthResponse login = authRequest.login(new AuthCallback());
    }
 }
--- a/update.md
+++ b/update.md
 ### 2019/06/28
 1. 修复百度登录获取不到token失效时间的问题
-2. gitee增加state参数校验
+2. 增加state参数校验，预防CSRF。强烈建议启用state！

 ### 2019/06/27
 1. 修改login方法的参数为AuthCallback，封装回调返回的参数