search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Mandatory state ? #170

Closed a-legrand closed 5 years ago

a-legrand commented 5 years ago

Hello, thanks for the library, very useful :)

My question is: why do the state parameter seems mandatory when the check occurs ?

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest references the state as recommanded only.

In my implementation I can't rely on sessions. So my authorization request url don't have a state, but the check fails as 2 missing variables can't obiously be the same:

if (checks.state !== params.state) {
  throw new RPError({
    printf: ['state mismatch, expected %s, got: %s', checks.state, params.state],
    checks,
    params,
  });
}
panva commented 5 years ago

This check allows for state to be missing, but it has to be missing from both the response and whatever input you pass it. I'm guessing you're using the passport strategy, and that one needs some persistance to do what it's designed to do - best practice.