Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

State support #21

Open
uzyn opened this issue Jul 31, 2012 · 10 comments
Open

State support #21

uzyn opened this issue Jul 31, 2012 · 10 comments
Milestone

Comments

@uzyn
Copy link
Member

uzyn commented Jul 31, 2012

To allow specifying of state parameter during auth that is passed back after successful or failure authentication.

Would require support from individual strategies, but Opauth is to wrap and standardize it across strategies.

Related: opauth/opauth-twitter#2

@ceeram
Copy link
Member

ceeram commented Feb 18, 2013

@uzyn what exactly do you mean by this? i also commented on the related ticket. Is this still valid issue without the shipToCallback?

@uzyn
Copy link
Member Author

uzyn commented Feb 19, 2013

@ceeram This is unrelated to shipToCallback.

This is about supporting state, ie. a string that gets passed around amidst all the requests.

state

A unique string used to maintain application state between the request and callback. When Facebook redirects the > user back to your redirect_uri, this parameter's value will be included in the response. You should use this to > protect against Cross-Site Request Forgery.

From: https://developers.facebook.com/docs/reference/dialogs/oauth/

This of course requires individual strategies to play nicely as well.

@uzyn
Copy link
Member Author

uzyn commented Feb 19, 2013

Hmm, on second thought, maybe it is related to shipToCallback.

We can now simply include a standard state property in Response!

@ceeram
Copy link
Member

ceeram commented Jun 7, 2013

We can still not do that with the new Response object.
We either need to create a random value and store in session, or create a not random value, which can be recreated within opauth on the callback request.

@ceeram
Copy link
Member

ceeram commented Jun 7, 2013

We could however let the application itself handle the value which will be passed to config array, and just add extra check for to match the value. In case of the opauth/twitter#2 it would be the email address being tossed around, although for the facebook state parameter, it should be something unique.

@ceeram
Copy link
Member

ceeram commented Jul 4, 2013

state is supported in facebook: https://github.com/opauth/facebook/blob/wip/1.0/Strategy.php#L49

The problem with state is, that i eveyr provider might handle it different or not at all, so its very strategy specific

@uzyn
Copy link
Member Author

uzyn commented Jul 5, 2013

It is supported for a lot of providers, if not most. The best if we could have an interface to support state, but the actual state support will be dependent on strategy author.

@glen-84
Copy link

glen-84 commented Jul 5, 2013

I have checked these ones so far:

Strategy State support
Facebook Yes
Flickr No (I don't think so)
GitHub Yes
Google Yes
Instagram Yes
LinkedIn Yes
(Windows) Live Yes
OpenID Not sure, any ideas how this could be done with OpenID?
Twitter No (see https://dev.twitter.com/discussions/19419) but can be done differently

I also think that state should be used for CSRF protection as described here.

Additional state (for example keeping track of the URL to return to after logging in), could be set with the run() method, for example: $opauth->run(array('my-state' => 123)) ... or maybe just a getter and setter (getState/setState).

@glen-84
Copy link

glen-84 commented Aug 15, 2013

Any updates on this, or on 1.0 in general?

@lingthio
Copy link

lingthio commented Sep 6, 2013

Hi & thanks for a great product!

I would like to use this state feature to pass a 'next-url', to redirect to a certain page after the login has completed successfully.

I just tested this out (Sep 2013) with the the Google strategy.
Both opauth/opauth and opauth/google were installed recently.

If I set:
$config['Strategy']['Google']['state'] = 'myspecialvalue';

It does get passed to the Google URI:
https://accounts.google.com/AccountChooser? ... &state=myspecialvalue& ...

But the opauth callback (I'm using the 'post' method) does not show any 'state'.

  • The query params are empty
  • The POST data only holds one param: opauth
  • The opauth content does not contain any [state] data.

Thanks - @lingthio

@glen-84 glen-84 mentioned this issue Oct 20, 2014
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants