> > When the auth endpoint calls back to the relying party (authorization > code request) with a state parameter, we need to check that it is valid > against a particular user, right? But how do we identify that specific > user (in Apache Sling), since there is no authentication done? >
We need to validate it against the authorization request sent from the user, that is why I need a cookie. Thank You. On Mon, Jun 25, 2018 at 3:16 PM, Robert Munteanu <[email protected]> wrote: > On Sat, 2018-06-23 at 00:28 +0530, Hasini Witharana wrote: > > > > > > The follow-up questions is what are you using it for? > > > > > > > As I mentioned before the authorization request to Google, contains a > > variable "state". After user is authenticated Google will send a > > response > > with attaching the same "state" value. We need to check the two state > > variables and validate that both are equal. To do this validation the > > first > > state value should be stored against a unique parameter that helps to > > identify the request from a particular user. > > > > The main reason of this state validation is to stop Cross Site > > Request > > Forgery. For more information can refer to [1]. For OIDC Basic flow > > state > > is Optional. But it is recommended to implement for the security > > purposes. > > > > [1] - > > http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter > > -in.html > > OK, so IIUC you need to > > a) generate a unique value for a given authentication request > b) send it via the 'state' parameter to the authentication end point > c) when the authentication callback is received, validate that the > 'state' parameter sent is the one that is expected > > I'm missing something here I think, also looking at the OIDC flow > diagram from [2]. > > When the auth endpoint calls back to the relying party (authorization > code request) with a state parameter, we need to check that it is valid > against a particular user, right? But how do we identify that specific > user (in Apache Sling), since there is no authentication done? > > Thanks, > > Robert > > > [2]: https://cwiki.apache.org/confluence/display/SLING/OIDC+Flow > -- *Hasini Witharana* Undergraduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
