oauth2orize icon indicating copy to clipboard operation
oauth2orize copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Why is the transaction id necessary?

Open apichick opened this issue 7 years ago • 1 comments

Could you clarify why the transaction id is necessary? Wouldn't it be enough to check if the user is logged in?

apichick avatar Mar 07 '17 17:03 apichick

Some oauth workflows require multiple requests and responses with the user.

One example of this is when user consent is required. The first request would show a dialog asking for consent which then posts back to a second route. That second route needs all the information from the first request. Since some of the information may be sensitive, the framework saves it all for you as a transaction within the session. It is then reused within the second request via something like server.decision().

This is explained in the source code at: https://github.com/jaredhanson/oauth2orize/blob/f6dabcc06ea0c76deaf9ae87564d1b4e30f99e56/lib/middleware/authorization.js#L11-L16

I hope that helps.

smaclell avatar Aug 26 '17 05:08 smaclell