[ https://issues.apache.org/jira/browse/GUACAMOLE-560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463545#comment-16463545 ]
Dave Smith commented on GUACAMOLE-560: -------------------------------------- Thanks [~nick.couch...@yahoo.com] - indeed it seems Okta have taken the steps to make it mandatory. I see auth0 generate one automatically if one is not provided; [https://auth0.com/docs/libraries/lock/v11/sending-authentication-parameters] [https://auth0.com/docs/protocols/oauth2/oauth-state] > Include "state" parameter in OpenID Connect authorization request > ----------------------------------------------------------------- > > Key: GUACAMOLE-560 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-560 > Project: Guacamole > Issue Type: Wish > Components: guacamole-auth-openid > Affects Versions: 0.9.14 > Reporter: Dave Smith > Priority: Trivial > > {quote}i've tried to get this setup. Unfortunately it seems Okta insist (even > with Single Page App (SPA)) to have state field in the POST even if (when > using SPA) it's not actually used. The guacamole client just goes in a > redirect loop with error in URL visible of "invalid state". > > With SPA the state parameter can even be some random letters, but must be > there. Using OIDCDebugger.com gleans this:{quote} > {quote} > error=invalid_request > error_description=The authentication request has an invalid 'state' > parameter. > > yet by adding a bunch of x's to the state parameter.. > > i get a much more positive response: > state=xxxxxxxxxxxxx > id_token=eyJraWQiOiI0NlpNbjlZZG5HQ1AxMGhDUWs5VWtvc2ljUmltTURJRDBBbVh1dWhHUUhrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMDAxNnVwUzhFaENuMjJwNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9hdG9zbXBjYXdzLm9rdGEuY29tIiwiYXVkIjoiMG9hMTIzZG8weXNibFN4dUoycDciLCJpYXQiOjE1MjQ3NTQwOTUsImV4cCI6MTUyNDc1NzY5NSwianRpIjoiSUQuRmZGYzFpZlA2VG > > I'd kindly ask that state could be added as an optional parameter to the guac > properties file.{quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)