state
RECOMMENDED. Opaque value used to maintain state between the
request and the callback. Typically, Cross-Site Request Forgery
(CSRF, XSRF) mitigation is done by cryptographically binding the
value of this parameter with a browser cookie.
If identity providers make direct requests to the callback phase with a valid token, no state is passed in the request. If require_state were true, this change fails the request and breaks existing flows.
If state isn't sent in the first place, it should not be verified.
send_state will now disable the sending of a state in the authorize phase.
This reverts #181 and adds a
send_state
parameter instead to address #174.According to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,
state
is recommended but not required:In https://github.com/omniauth/omniauth_openid_connect/pull/181 we attempted to make
require_state
skip thestate
verification if it weretrue
, but this was reverted for two reasons:state
is passed in the request. Ifrequire_state
weretrue
, this change fails the request and breaks existing flows.state
isn't sent in the first place, it should not be verified.send_state
will now disable the sending of astate
in the authorize phase.