cookie pairing

[lacmuch]

The opened system browser for the google authentication prompt has no shared "cookie space" with the application. What is the most secure way to pair the oauth browser request's session with the application request's session in the backend?

The ChatGPT answer is the best way? :)

"One option is to use a "state" parameter in the OAuth flow to link the authorization request with the session on the backend. The OAuth server includes this value when redirecting the user's browser to the authorization prompt. The authorization prompt includes the "state" parameter in the response when redirecting the user's browser back to the application.

Here's how it works:

The application generates a random "state" value and includes it in the authorization request. The OAuth server stores the "state" value in the session and includes it in the response when redirecting the user's browser to the authorization prompt. The user authenticates with the authorization prompt and is redirected back to the application with the "state" value in the response. The application can then check that the "state" value in the response matches the value stored in the session, ensuring that the request is authentic. This approach helps to prevent cross-site request forgery (CSRF) attacks by ensuring that the authorization response can only be sent to the intended application.

Another option is to use a secure token stored in the browser's Local Storage or a cookie to link the authorization request with the session on the backend. This approach requires securely signing the token on the backend and verifying the signature on the frontend.

I hope this helps! Let me know if you have any questions."