Closed chrt00 closed 6 years ago
@chrt00 Is there any reason this library needs to do this, as opposed to applications implementing this?
I agree that this approach feels like the best way to pass state parameters, but that doesn't mean it should be in omniauth-stripe-connect
.
It feels like unnecessary complexity for the library. Your application may want to do this, but others may have a different set of requirements.
However, if it can be demonstrated that other omniauth strategy providers are implementing this, and this is the approach that omniauth is mandating going forward, I am happy to change.
@chrt00 Another way of approach it is: If this is a security concern (it is), a proposal should be made to the omniauth folks (or even just the omniauth-oauth2 folks), and an approach to ensuring data like this is secured should be determined from the top, because a lot of the Ruby-run web may be authenticating off of omniauth, and would have no approach to secured input.
The author hasn't responded in a long while.
The only URL parameter allowed is the
state
variable with the Stripe Connect API. This PR addresses this change by encapsulating data as well as the default state (http://www.thread-safe.com/2014/05/the-correct--useof-state-parameter-in.html) within a JWT.