You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In a OAuth2 authorization code flow the state parameter is a way to keep state across browser redirects. You can use it to inject some data into the flow at the start, and then recover that data at the end. This package uses this feature to increase security by injecting a random string at the start and checking that it is unchanged at the end. That's awesome. However, the user may also want to add some of their own data to the state. Currently this package offers no mechanism to do that.
Proposal
Allow the user to add a additionalState function that returns a string to the configuration and just concatenate its (url encoded) return value to the randomly generated state in fetchAuthorizationCode. Then, in isReturningFromAuthServer after the state has been verified, extract the additional state, url decode it, and assign it to this.state.additional. Finally add a public getter getAdditionalState for the user to retrieve this state.
Note that this proposal is backward compatible. Also, if I'm reasonably confident that a PR along these lines (or whatever alternative approach) will actually be accepted I will probably create one.
Use case
I think the most common use case for this would probably be adding a redirect url to the state because it's not always practical or even possible to configure de OAuth server to allow all the possible redirect urls you might need.
The text was updated successfully, but these errors were encountered:
Introduction
In a OAuth2 authorization code flow the state parameter is a way to keep state across browser redirects. You can use it to inject some data into the flow at the start, and then recover that data at the end. This package uses this feature to increase security by injecting a random string at the start and checking that it is unchanged at the end. That's awesome. However, the user may also want to add some of their own data to the state. Currently this package offers no mechanism to do that.
Proposal
Allow the user to add a
additionalStatefunction that returns a string to the configuration and just concatenate its (url encoded) return value to the randomly generated state infetchAuthorizationCode. Then, inisReturningFromAuthServerafter the state has been verified, extract the additional state, url decode it, and assign it tothis.state.additional. Finally add a public gettergetAdditionalStatefor the user to retrieve this state.Note that this proposal is backward compatible. Also, if I'm reasonably confident that a PR along these lines (or whatever alternative approach) will actually be accepted I will probably create one.
Use case
I think the most common use case for this would probably be adding a redirect url to the state because it's not always practical or even possible to configure de OAuth server to allow all the possible redirect urls you might need.
The text was updated successfully, but these errors were encountered: