> > The follow-up questions is what are you using it for? > As I mentioned before the authorization request to Google, contains a variable "state". After user is authenticated Google will send a response with attaching the same "state" value. We need to check the two state variables and validate that both are equal. To do this validation the first state value should be stored against a unique parameter that helps to identify the request from a particular user.
The main reason of this state validation is to stop Cross Site Request Forgery. For more information can refer to [1]. For OIDC Basic flow state is Optional. But it is recommended to implement for the security purposes. [1] - http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html Thank You On Fri, Jun 22, 2018 at 5:47 PM, Robert Munteanu <[email protected]> wrote: > On Fri, 2018-06-22 at 14:31 +0300, Robert Munteanu wrote: > > On Fri, 2018-06-22 at 15:38 +0530, Hasini Witharana wrote: > > > Hi Robert, > > > > > > 1. User access Apache Sling login page > > > > > > > > - the login page contains a link to an external OAuth provider > > > > (Google) > > > > > > > > > > We need to have a cookie on this point. When a user click the link > > > a > > > request is send to Google. This request contains a variable called > > > state. I > > > need to store this variable on a HashMap against the cookie value. > > > > > > Then you can use the API I suggested to add a cookie. The value can > > be > > a UUID to make sure it's (practically) unique. > > > > In which step will that cookie's value be used? > > Based on the diagram from [1] I can now see where it is used. The > follow-up questions is what are you using it for? > > Thanks, > > Robert > > > [1]: https://cwiki.apache.org/confluence/display/SLING/OIDC+Flow > -- *Hasini Witharana* Undergraduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
