oidc-client-js icon indicating copy to clipboard operation
oidc-client-js copied to clipboard
verified publisher icon IdentityModel

State is not stored

Open FizzBuzz791 opened this issue 6 years ago • 6 comments

When a user is stored, the state property, which is hydrated with the state that has been echoed back from the server, is not stored, as per; https://github.com/IdentityModel/oidc-client-js/blob/01c872abc145114c76d9491b242d4d814c07e22a/src/User.js#L48-L57

Is there a particular reason for this or is this an oversight?

FizzBuzz791 avatar Jan 15 '19 02:01 FizzBuzz791

That's by design. The state is available in the callback completing the protocol processing (e.g. signinRedirectCallback)

brockallen avatar Jan 15 '19 13:01 brockallen

OK. Seems weird that it's a property on the user but then it's not actually persisted. Why doesn't _signinEnd return a response object, that contains the user and the state then? Make it explicit about what's happening with the data.

FizzBuzz791 avatar Jan 15 '19 23:01 FizzBuzz791

I like that idea, but it'd be breaking. I can do it for 3.0.

brockallen avatar Jan 16 '19 12:01 brockallen

3.0?! It's only on 1.6, did you mean 2.0?

Fair enough though, definitely a breaking change. It'd be ideal to separate state and user entirely if that contract is getting broken anyway. The more explicit the better. Haven't looked into how feasible that is yet though.

Do you need any assistance?

FizzBuzz791 avatar Jan 16 '19 23:01 FizzBuzz791

Oh yea, I think I meant 2.0 -- I have too many OSS projects to maintain. :/

brockallen avatar Jan 17 '19 01:01 brockallen

Does anyone have a solid way of accessing the state after final login redirect? The it seems cumbersome to need to store the state ourselves in session storage so that we can access it after the final login redirect. Is this a security measure?

jgrisafe avatar Jun 22 '20 14:06 jgrisafe