OAuth 2.0 Providers and State

It seems there is a bunch of OAuth 2.0 providers that does not support the (required to be supported) state parameter.

I just updated the jso library to be able to deal with that.

When you are unable to keep state, you’ll run into at least two challenges:

  • you don’t know from who the access token is sent (if you accept multiple providers on the same callback)
  • you don’t know what scopes you sent in the request. It would be natural to fallback to this scope in your token cache, if scopes were not provided in the response. Now, instead, you need to configure global scope fallbacks.

The jso documentation is updated, on how to deal with this.

Leave a Reply