search

anthonyjgrove / react-google-login

A React Google Login Component
https://anthonyjgrove.github.io/react-google-login
MIT License
1.84k stars 427 forks source link

Feature request: Add support for "state" parameter #433

Open Honason opened 3 years ago

Honason commented 3 years ago

Hi! Would you consider adding support for state param? It could be passed in as a prop, in the same way as you pass accessType. Both are recommended params as well: https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient

This can help security, and make it possible to pass extra information in redirect scenarios. And when you need to redirect user to a specific, dynamic URL after authentication, I think this is the only way to do it (when using redirect, which has to be used in some mobile use cases).

HuncholiniTheFirst commented 3 years ago

According to the OAuth Specification, when using the authorization code grant for SPAs, the state parameter is explicitly recommended, please include this option! (https://www.oauth.com/oauth2-servers/single-page-apps/#authorization)

"This also serves as a CSRF protection mechanism.

Note that the lack of using a client secret means that using the state parameter is even more important for single-page apps."

anthonyjgrove commented 3 years ago

Welcome to open a PR.