Add the 'state' query parameter to the authenticate call #14

Closed
arius25 opened this Issue Jun 7, 2012 · 8 comments

Comments

Projects
None yet
6 participants

arius25 commented Jun 7, 2012

Please add the 'state' parameter to the authenticate call for the strategies which support it (e.g. Facebook) as per
https://developers.facebook.com/docs/authentication/server-side/

Thanks,
Marius

Owner

jaredhanson commented Jun 8, 2012

In this commit to passport-oauth, I've added support for a state option, which can be used like so:

passport.authenticate('facebook', { state: 'foo' })

Thinking this through a bit more though, it seems like it might be a better option to implement a boolean version of the option:

passport.authenticate('facebook', { state: true })

In that case, Passport would generate a unique nonce before redirecting, save it to the session, and then verify it on the callback route. The string-only option doesn't seem entirely useful, since the verification is more easily done inside Passport.

What do you think?

arius25 commented Jun 8, 2012

I think the second option (nonce generated and verified by Passport) is the better solution.

Thanks for getting to it so quickly!

On Thursday, June 7, 2012 at 7:44 PM, Jared Hanson wrote:

In this commit to passport-oauth, I've added support for a state option, which can be used like so:

passport.authenticate('facebook', { state: 'foo' })

Thinking this through a bit more though, it seems like it might be a better option to implement a boolean version of the option:

passport.authenticate('facebook', { state: true })

In that case, Passport would generate a unique nonce before redirecting, save it to the session, and then verify it on the callback route. The string-only option doesn't seem entirely useful, since the verification is more easily done inside Passport.

What do you think?


Reply to this email directly or view it on GitHub:
#14 (comment)

Owner

jaredhanson commented Jun 8, 2012

Agreed. I'll get this option implemented in the next couple of days.

Owner

jaredhanson commented Aug 15, 2013

This is implemented in passport-oauth2 v1.0.0 (which passport-facebook v1.0.0 uses). To use it, enable state when creating your strategy:

var strategy = new FacebookStrategy({
  clientID: 'ABC123',
  clientSecret: 'secret',
  state: true
}, function() {...});

wzup commented Jun 5, 2017

It is not documented, isn't it?
There is no any state word in a whole README.md.

1 . Why? Does it work whatsoever?
2. Where can I read ALL parameters that may be passed to strategy config? In one place, please. Now I have to search them all over the internet, one by one. passReqToCallback isn't mentioned in README.md as well. Now state. I'm curious how many good options are hidden? not documented properly.

Is string state supports still?
My scenario is to pass some encoded JSON to /auth/facebook/callback with these extra parameters.
I need to avoid usage of session.

any luck with custom state string?

CLClark commented Jan 11, 2018

Passing "state: true" causes the Strategy object, upon instantiation, to write itself a "_stateStore" property with the value coming from ('passport-oauth2/state/session').SessionStore. Look up that module to see how the "state" field is handled... There does not appear to be a way to modify the state constructor without editing the SessionStore code. SessionStore is referred to as SessionStateStore in the passport-oauth2 constructor (from which passport-facebook strategy inherits).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment