Skip to content

Commit

Permalink
feat(oauth2-set-state): Allow set state in case it exists on oauth2 p…
Browse files Browse the repository at this point in the history
…rovider [#253]
  • Loading branch information
farnabaz authored Feb 10, 2019
2 parents 8e6cd92 + bda974e commit 6420ddc
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 3 deletions.
8 changes: 7 additions & 1 deletion docs/schemes/oauth2.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ auth: {
token_type: 'Bearer',
redirect_uri: undefined,
client_id: 'SET_ME',
token_key: 'access_token'
token_key: 'access_token',
state: 'UNIQUE_AND_NON_GUESSABLE'
}
}
}
Expand Down Expand Up @@ -64,6 +65,11 @@ By default is set to `token_key: 'access_token'`. If you need to use the IdToken

By default is set to `refresh_token_key: 'refresh_token'`. It automatically store the refresh_token, if it exists.

### `state`

By default is set to random generated string.
The primary reason for using the state parameter is to mitigate CSRF attacks. ([read more](https://auth0.com/docs/protocols/oauth2/oauth-state))

## Usage

```js
Expand Down
6 changes: 4 additions & 2 deletions lib/schemes/oauth2.js
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,10 @@ export default class Oauth2Scheme {
client_id: this.options.client_id,
redirect_uri: this._redirectURI,
scope: this._scope,
state: randomString()
}
// Note: The primary reason for using the state parameter is to mitigate CSRF attacks.
// @see: https://auth0.com/docs/protocols/oauth2/oauth-state
state: this.options.state || randomString(),
};

if (this.options.audience) {
opts.audience = this.options.audience
Expand Down

0 comments on commit 6420ddc

Please sign in to comment.