OAuth2
OAuth2 copied to clipboard
p2
client config: make state parameter optional
The state parameter is recommended but not mandatory so make this configurable in case the server does not support it. By default this is set to true in order to prevent cross-site request forgery.
Do you know which servers don't support state? Not using state opens a gaping security hole and I would prefer if it has to be used.
In my case, this only happens when using QR codes and directly start the authentification process to the step of requesting the redirect URL. So in this case, there is no risk of cross-site request forgery. In the change I did, the state parameter is still checked if there is any.
The risk is in the library being able to be used without state parameter, which I'm not a fan of. How exactly are you starting the flow? Maybe it makes sense to create a subclass for this use case.
Our scenario is when users log in with QR codes. The QR code encodes directly the redirect url so there is not state to check here. What would be the proper way to add such feature to the library?