Open Honason opened 3 years ago
According to the OAuth Specification, when using the authorization code grant for SPAs, the state parameter is explicitly recommended, please include this option! (https://www.oauth.com/oauth2-servers/single-page-apps/#authorization)
"This also serves as a CSRF protection mechanism.
Note that the lack of using a client secret means that using the state parameter is even more important for single-page apps."
Welcome to open a PR.
Hi! Would you consider adding support for
state
param? It could be passed in as a prop, in the same way as you passaccessType
. Both are recommended params as well: https://developers.google.com/identity/protocols/oauth2/web-server#creatingclientThis can help security, and make it possible to pass extra information in redirect scenarios. And when you need to redirect user to a specific, dynamic URL after authentication, I think this is the only way to do it (when using redirect, which has to be used in some mobile use cases).