oauth-client: recommend verifying state parameter before processing oauth callback #3353
Conversation
…auth callback Given that the state parameter is often used as a nonce in many clients (e.g., a random value) and not as a "this is the user account in our system" type value, you'd want to verify the state parameters match before actually completing the oauth callback handling.
|
Hey @ThisIsMissEm , The The way it works, the client implementation generates a random value, and the actual state data must be persisted in the client somehow (the state data will be stored in the indexdb in the browser, a storage implementation must be provided when used from a back-end). The client implementation will also remove the persisted state data directly after it is first read (preventing replays). Thanks to this, users of the lib do not need to actually verify the The example in the readme should probably be made more explicit in that regard. Thanks for bringing this to our attention 🙏 |
|
Oh! So |
No, it isn't. Naming things is hard 😅 |
Given that the state parameter is often used as a nonce in many clients (e.g., a random value) and not as a "this is the user account in our system" type value, you'd want to verify the state parameters match before actually completing the oauth callback handling.
Unless there's something I'm missing about the
client.callbackmethod that some how asserts that state matches before doing an oauth authorization code for token exchange?