docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon ory

docs: Explain OAuth2 parameter `state`

Open vinckr opened this issue 2 years ago • 0 comments

Related error message:

AuthorizationError: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.

This could be a code example that works

app.get(
  "/auth/hydra",
  passport.authenticate(
    "oauth2",
    {
      scope: ["openid", "offline", "email"],
      state: "<totallyrandomstring>",
    },
    { failureRedirect: "/error" }
  )
);

Explanation from SA:

The state parameter is used to protect against XSRF. Your application generates a random string and sends it to the authorization server using the state parameter. The authorization server sends back the state parameter. If both state are the same => OK. If state parameters are different, someone else has initiated the request.

Still have to find a good spot for this in the hydra docs. A bigger effort to explain OAuth2.0 better is probably needed and will take some time.

vinckr avatar Mar 01 '22 13:03 vinckr