Support use `state` query params to verify auth callback?

[Jokcy]

When redirect to github auth url, we can bring a state query param and when auth success github will add this state to the callback url query, we can use it to verify if this callback call is valid.

For example we can put a time string in state, and verify if it is outdated in callback

[sergiodxa]

The OAuth2Strategy used as base from this GitHubStrategy already sets and the state search param.

[Jokcy]

The OAuth2Strategy used as base from this GitHubStrategy already sets and the state search param.

Is it possible to custom it? I did not found the option

[sergiodxa]

It’s not possible, per spec the state must be random, I generate one using a UUID, there’s no need to customize it and opening the option to do it would let apps use unsafe values.

[Jokcy]

It’s not possible, per spec the state must be random, I generate one using a UUID, there’s no need to customize it and opening the option to do it would let apps use unsafe values.

Not what I expected, if you generate a UUID, how can you verify if the state is correct on callback?

[sergiodxa]

The state is stored in the session before sending the user to the authorization url, then the state the provider sent back is compared against the one in the session.