On Mon, 2018-06-25 at 15:50 +0530, Hasini Witharana wrote: > > > > 'Sent from the user' -> I assume that's sent from the user's > browser, > > but to whom? To the Authorization endpoint? And is that supposed to > be > > set by the Relying Party? > > > > Sent from users's browser to Google's authorization endpoint. Relying > party > need to do the state validation hence I think RP should set the > cookie > value.
So then you could set a third-party cookie from Sling, i.e. a cookie that is set for a different domain, matching whathever the google auth endpoint is. Would that work? Robert
