Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Hosted UI] State parameter #147

Open
alshdavid opened this issue Jul 22, 2018 · 2 comments

Comments

@alshdavid
Copy link

@alshdavid alshdavid commented Jul 22, 2018

Hey, not sure where else to talk about the hosted ui.

How to I use the state parameter with the hosted ui?

@kuabhila

This comment has been minimized.

Copy link

@kuabhila kuabhila commented Aug 1, 2018

You could use a client-generated value in the state parameter to prevent CSRF attacks. Cognito's login & Authorization endpoints support this parameter. So, include a sufficiently large & random value in the state parameter while entering the URL in your client/browser.

@vpod

This comment has been minimized.

Copy link

@vpod vpod commented Aug 13, 2018

From what I see the SDK would generate the state automatically, if none is set. However it does not store the generated value and does not validate it upon callback (see getFQDNSignIn()).
Why is that?
I would agree that it is user's responsibility to do, but as the SDK has made the first step to generate a random value, maybe it would be reasonable to use it? At least I see no reason why not to add the storage and validation.

What would the maintainers say?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.