sergiodxa
commented
6 months ago The state needs to be a random, unique and unguessable value, you shouldn't use the state to store some specific information, that's why the strategy doesn't provide a way to customize it, to ensure it's used correctly in a safe way.
If you want to use it to send a value from the route triggering the login flow to the callback, it's better to use a cookie.
As it stands, the
stateauthorization param is controlled by a private methodgenerateState, and you can't override it.In my case, I'd like to be able to control this param and set it from the
authorizationParamsoverride. This PR allows for a check to happen in thegetAuthorizationURLmethod. Please let me know your thoughts, as I'm no OAuth expert. 🙏