client config: make state parameter optional#284
Conversation
The state parameter is recommended but not mandatory so make this configurable in case the server does not support it. By default this is set to true in order to prevent cross-site request forgery.
The state parameter is recommended but not mandatory so make this configurable in case the server does not support it. By default this is set to true in order to prevent cross-site request forgery. There is a pending PR in the main repo p2#284
|
Do you know which servers don't support |
|
In my case, this only happens when using QR codes and directly start the authentification process to the step of requesting the redirect URL. So in this case, there is no risk of cross-site request forgery. In the change I did, the state parameter is still checked if there is any. |
|
The risk is in the library being able to be used without state parameter, which I'm not a fan of. How exactly are you starting the flow? Maybe it makes sense to create a subclass for this use case. |
|
Our scenario is when users log in with QR codes. The QR code encodes directly the redirect url so there is not state to check here. What would be the proper way to add such feature to the library? |
|
Subclass, take a look at e.g. OAuth2CodeGrantNoTokenType. |
The state parameter is recommended but not mandatory so make this configurable in case the server does not support it. By default this is set to true in order to prevent cross-site request forgery. There is a pending PR in the main repo p2#284
The state parameter is recommended but not mandatory so make this configurable in case the server does not support it. By default this is set to true in order to prevent cross-site request forgery. There is a pending PR in the main repo p2#284
2 participants
The state parameter is recommended but not mandatory so make this
configurable in case the server does not support it. By default this is
set to true in order to prevent cross-site request forgery.