Aaron L

I'm not sure what this is for. There's already a mechanism for redirecting somewhere based on the redir url parameter that gets passed at the beginning of the OAuth2 flow.

There exists redirect mechanisms specific to Oauth2 that are separate from what you're talking about: https://github.com/volatiletech/authboss/blob/master/oauth2/oauth2.go#L132 https://github.com/volatiletech/authboss/blob/master/oauth2/oauth2.go#L274 Pretty sure some combination of these things will suit your use case?

Okay, so one of the key issues here is that your Redirector implementation has custom code in it that you want to activate, rather than using the secondary redirection mechanism...

As long as it's all done via optional interfaces as you're suggesting I think this is an easily acceptable proposal as it wouldn't be breaking and provides reasonably interesting functionality...

Absolutely. I'll work with you to code review it etc. If you need any help/advice just add comments to this issue. One thing to note is no new modules should...

This isn't currently possible! authboss-clientstate dictates nothing around this, it's all the constant value that you see there.

I think the best course of action here is to create a second confirm module that works as you're specifying. That should allow the flexibility we need for this functionality.

@rbren I think that you're making an assumption that all sites want to allow partial access to unconfirmed users. In the main site that I use authboss for as an...

Doesn't seem that there's any reason other than EndPost was written before UpdatePassword was. A PR would be accepted.

See my comment to your comment about the behavior of your Cookie/Session storers.