On Sat, 2018-06-23 at 00:28 +0530, Hasini Witharana wrote: > > > > The follow-up questions is what are you using it for? > > > > As I mentioned before the authorization request to Google, contains a > variable "state". After user is authenticated Google will send a > response > with attaching the same "state" value. We need to check the two state > variables and validate that both are equal. To do this validation the > first > state value should be stored against a unique parameter that helps to > identify the request from a particular user. > > The main reason of this state validation is to stop Cross Site > Request > Forgery. For more information can refer to [1]. For OIDC Basic flow > state > is Optional. But it is recommended to implement for the security > purposes. > > [1] - > http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter > -in.html
OK, so IIUC you need to a) generate a unique value for a given authentication request b) send it via the 'state' parameter to the authentication end point c) when the authentication callback is received, validate that the 'state' parameter sent is the one that is expected I'm missing something here I think, also looking at the OIDC flow diagram from [2]. When the auth endpoint calls back to the relying party (authorization code request) with a state parameter, we need to check that it is valid against a particular user, right? But how do we identify that specific user (in Apache Sling), since there is no authentication done? Thanks, Robert [2]: https://cwiki.apache.org/confluence/display/SLING/OIDC+Flow
