auth0 / passport-linkedin-oauth2

Passport Strategy for LinkedIn OAuth 2.0
MIT License
119 stars 107 forks source link

Question: about state & session #38

Open JSteunou opened 8 years ago

JSteunou commented 8 years ago

I tried to use state: true but then I saw it requires session. I do not use express session not passport with session. Why both are tied and how can I have a state without session?

siacomuzzi commented 8 years ago

The state param is used to prevent CSRF attacks. From Linkedin API doc:

Before you accept the authorization code, your application should ensure that the value returned in the state parameter matches the state value from your original authorization code request. This ensures that you are dealing with the real original user and not a malicious script that has somehow slipped into the middle of your authentication flow. If the state values do not match, you are likely the victim of a CSRF attack and you should throw an HTTP 401 error code in response.

Thats why they are tied, because passport-oauth2 requieres session support to persist state value between redirects.