-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
State support #21
Comments
@uzyn what exactly do you mean by this? i also commented on the related ticket. Is this still valid issue without the shipToCallback? |
@ceeram This is unrelated to This is about supporting state, ie. a string that gets passed around amidst all the requests.
This of course requires individual strategies to play nicely as well. |
Hmm, on second thought, maybe it is related to We can now simply include a standard |
We can still not do that with the new Response object. |
We could however let the application itself handle the value which will be passed to config array, and just add extra check for to match the value. In case of the opauth/twitter#2 it would be the email address being tossed around, although for the facebook state parameter, it should be something unique. |
state is supported in facebook: https://github.com/opauth/facebook/blob/wip/1.0/Strategy.php#L49 The problem with state is, that i eveyr provider might handle it different or not at all, so its very strategy specific |
It is supported for a lot of providers, if not most. The best if we could have an interface to support state, but the actual state support will be dependent on strategy author. |
I have checked these ones so far:
I also think that state should be used for CSRF protection as described here. Additional state (for example keeping track of the URL to return to after logging in), could be set with the run() method, for example: $opauth->run(array('my-state' => 123)) ... or maybe just a getter and setter (getState/setState). |
Any updates on this, or on 1.0 in general? |
Hi & thanks for a great product! I would like to use this state feature to pass a 'next-url', to redirect to a certain page after the login has completed successfully. I just tested this out (Sep 2013) with the the Google strategy. If I set: It does get passed to the Google URI: But the opauth callback (I'm using the 'post' method) does not show any 'state'.
Thanks - @lingthio |
To allow specifying of state parameter during auth that is passed back after successful or failure authentication.
Would require support from individual strategies, but Opauth is to wrap and standardize it across strategies.
Related: opauth/opauth-twitter#2
The text was updated successfully, but these errors were encountered: