def generate_state(self):
"""
Generates a state which is required during the OAuth sign-in process
"""
return jwt.encode(
request.args.to_dict(flat=False),
self.appbuilder.app.config["SECRET_KEY"],
algorithm="HS256",
)
It generates 'static' values for all sessions, meaning if you got one you will know values for all sessions for a server.
It seems the intention for this 'state' parameter is to be a CRSF protection, so it should be random.
Hello,
there is this generate_state method in oauth.py:
It generates 'static' values for all sessions, meaning if you got one you will know values for all sessions for a server.
It seems the intention for this 'state' parameter is to be a CRSF protection, so it should be random.