On Mon, 2018-06-25 at 15:30 +0530, Hasini Witharana wrote: > > > > When the auth endpoint calls back to the relying party > > (authorization > > code request) with a state parameter, we need to check that it is > > valid > > against a particular user, right? But how do we identify that > > specific > > user (in Apache Sling), since there is no authentication done? > > > > We need to validate it against the authorization request sent from > the > user, that is why I need a cookie.
'Sent from the user' -> I assume that's sent from the user's browser, but to whom? To the Authorization endpoint? And is that supposed to be set by the Relying Party? Robert
