Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Add the 'state' query parameter to the authenticate call #14

Closed
arius25 opened this Issue · 4 comments

2 participants

@arius25

Please add the 'state' parameter to the authenticate call for the strategies which support it (e.g. Facebook) as per
https://developers.facebook.com/docs/authentication/server-side/

Thanks,
Marius

@jaredhanson
Owner

In this commit to passport-oauth, I've added support for a state option, which can be used like so:

passport.authenticate('facebook', { state: 'foo' })

Thinking this through a bit more though, it seems like it might be a better option to implement a boolean version of the option:

passport.authenticate('facebook', { state: true })

In that case, Passport would generate a unique nonce before redirecting, save it to the session, and then verify it on the callback route. The string-only option doesn't seem entirely useful, since the verification is more easily done inside Passport.

What do you think?

@arius25
@jaredhanson
Owner

Agreed. I'll get this option implemented in the next couple of days.

@jaredhanson
Owner

This is implemented in passport-oauth2 v1.0.0 (which passport-facebook v1.0.0 uses). To use it, enable state when creating your strategy:

var strategy = new FacebookStrategy({
  clientID: 'ABC123',
  clientSecret: 'secret',
  state: true
}, function() {...});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.