Closed TimmersThomas closed 2 years ago
sergiodxa
commented
2 years ago This has been requested before (#1), the state should be a random token, using it to pass parameters would make the state guessable.
If you need to pass data from the request redirecting to Cognito to the callback URL the user is redirected back, you should store that data on the session yourself, that's the safes way to do it.
TimmersThomas
commented
2 years ago Hi @sergiodxa
That is depending of the implementation of the custom value imho. Currently i for example would use combination of a parseable value containing the redirect URL added with a uuid-v4 param..
Storing it in a session was also a path I tried but didn't found a great way for making sure if somebody has no session data available, to save the current-url in a session and commit that session + make sure the session commit from remix-auth-oauth2 isn't ignoring my changes. When somebody has already a correct session, this was of course not an issue.
Reason for PR
As state is the most logical way for AWS cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) and suppose also other Oauth2 clients for passing on some parameters between request for authorization and redirect after authorization.
It would be handy for being able to adjust this value if needed/wanted.
In our case we used it for passing on a redirectTo url to our callback page