Closed a-legrand closed 5 years ago
This check allows for state to be missing, but it has to be missing from both the response and whatever input you pass it. I'm guessing you're using the passport strategy, and that one needs some persistance to do what it's designed to do - best practice.
Hello, thanks for the library, very useful :)
My question is: why do the state parameter seems mandatory when the check occurs ?
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest references the state as recommanded only.
In my implementation I can't rely on sessions. So my authorization request url don't have a state, but the check fails as 2 missing variables can't obiously be the same: