amazon-cognito-auth-js icon indicating copy to clipboard operation
amazon-cognito-auth-js copied to clipboard

Published 20 hours ago verified publisher icon amazon-archives

[Hosted UI] State parameter

Open alshdavid opened this issue 5 years ago • 2 comments

Hey, not sure where else to talk about the hosted ui.

How to I use the state parameter with the hosted ui?

alshdavid avatar Jul 22 '18 04:07 alshdavid

You could use a client-generated value in the state parameter to prevent CSRF attacks. Cognito's login & Authorization endpoints support this parameter. So, include a sufficiently large & random value in the state parameter while entering the URL in your client/browser.

kuabhila avatar Aug 01 '18 10:08 kuabhila

From what I see the SDK would generate the state automatically, if none is set. However it does not store the generated value and does not validate it upon callback (see getFQDNSignIn()). Why is that? I would agree that it is user's responsibility to do, but as the SDK has made the first step to generate a random value, maybe it would be reasonable to use it? At least I see no reason why not to add the storage and validation.

What would the maintainers say?

vpod avatar Aug 13 '18 18:08 vpod