state
RECOMMENDED. Opaque value used to maintain state between the
request and the callback. Typically, Cross-Site Request Forgery
(CSRF, XSRF) mitigation is done by cryptographically binding the
value of this parameter with a browser cookie.
If identity providers make direct requests to the callback phase with a valid token, no state is passed in the request. If require_state were true, this change fails the request and breaks existing flows.
If state isn't sent in the first place, it should not be verified.
send_state will now disable the sending of a state in the authorize phase.
This reverts #181 and adds a
send_stateparameter instead to address #174.According to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,
stateis recommended but not required:In https://github.com/omniauth/omniauth_openid_connect/pull/181 we attempted to make
require_stateskip thestateverification if it weretrue, but this was reverted for two reasons:stateis passed in the request. Ifrequire_stateweretrue, this change fails the request and breaks existing flows.stateisn't sent in the first place, it should not be verified.send_statewill now disable the sending of astatein the authorize phase.