ORCID honours the state param, so no need to ignore it

datacite / omniauth-orcid

ORCID Strategy for OmniAuth

MIT License

9 stars 9 forks source link

ORCID honours the state param, so no need to ignore it #12

Closed yob closed 6 years ago

yob commented 6 years ago

The current ORCID docs say:

Appended to the end of that link will be a six-digit authorization code and any state parameter you specified

We've tested this in our system (a rails app at theconversation.com) and confirmed that sign in via ORCID continues to work when provider_ignores_state is set to false.

oauth2 sign ins are reportedly safer when the state param is checked, so it may be worth changing the default behaviour.

mfenner commented 6 years ago

This unfortunately breaks the csrf checks in Rails which uses the state parameter. See for example https://github.com/omniauth/omniauth-oauth2/issues/32. The workaround is to add {:provider_ignores_state => true} to your omniauth configuration.