https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675
--- Comment #3 from David Cook <[email protected]> --- (In reply to Tomás Cohen Arazi from comment #1) > This is a recommended openid-connect parameter [1] and OAuth2 integrations > seem to require it [2], but I'm not sure if it should be enforced. Basically > because I don't know all the IdPs around. It looks like OAuth2 also only recommends it: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 However, the specs do say that the "state" parameter is required in the Authorization Response if it was included in the Authorization Request: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 I suspect that most IdPs should support "state" if they want to be spec compliant, although I suppose there's no guarantee. I've certainly dealt with 1 non-compliant IdP in the past, although that was nearly 10 years ago now. If we are worried, I think we could make using "state" optional in terms of whether or not to send it, but... I think it should be all right. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
