Skip to content

Commit

Permalink
chore(doc): add docs for oauth2 state param
Browse files Browse the repository at this point in the history
  • Loading branch information
farnabaz committed Feb 10, 2019
1 parent cd52236 commit bda974e
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
8 changes: 7 additions & 1 deletion docs/schemes/oauth2.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ auth: {
token_type: 'Bearer',
redirect_uri: undefined,
client_id: 'SET_ME',
token_key: 'access_token'
token_key: 'access_token',
state: 'UNIQUE_AND_NON_GUESSABLE'
}
}
}
Expand Down Expand Up @@ -64,6 +65,11 @@ By default is set to `token_key: 'access_token'`. If you need to use the IdToken

By default is set to `refresh_token_key: 'refresh_token'`. It automatically store the refresh_token, if it exists.

### `state`

By default is set to random generated string.
The primary reason for using the state parameter is to mitigate CSRF attacks. ([read more](https://auth0.com/docs/protocols/oauth2/oauth-state))

## Usage

```js
Expand Down
2 changes: 2 additions & 0 deletions lib/schemes/oauth2.js
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ export default class Oauth2Scheme {
client_id: this.options.client_id,
redirect_uri: this._redirectURI,
scope: this._scope,
// Note: The primary reason for using the state parameter is to mitigate CSRF attacks.
// @see: https://auth0.com/docs/protocols/oauth2/oauth-state
state: this.options.state || randomString(),
};

Expand Down

0 comments on commit bda974e

Please sign in to comment.