markbates
setting state when using google
Hi, I am using goth to handle google SSO login but I am confused how should I set a state so that I can get back the state value after google has done authenticating the user? Thanks
Reference : https://developers.google.com/identity/protocols/oauth2/web-server#httprest From google identity documentation
state Specifies any string value that your application uses to maintain state between your authorization request and the authorization server's response. The server returns the exact value that you send as a name=value pair in the URL query component (?) of the redirect_uri after the user consents to or denies your application's access request.
You can use this parameter for several purposes, such as directing the user to the correct resource in your application, sending nonces, and mitigating cross-site request forgery. Since your redirect_uri can be guessed, using a state value can increase your assurance that an incoming connection is the result of an authentication request. If you generate a random string or encode the hash of a cookie or another value that captures the client's state, you can validate the response to additionally ensure that the request and response originated in the same browser, providing protection against attacks such as cross-site request forgery. See the OpenID Connect documentation for an example of how to create and confirm a state token.
Similar issue: https://github.com/googleapis/google-auth-library-ruby/issues/94
having the same issue, the state seems to be different after receiving the request back from the provider. Has anyone figured out how to fix this or if someone has encountered the same issue?
The auth url here https://github.com/markbates/goth/blob/master/examples/main.go#L250 needs to be called with a state param. The callback url, here https://github.com/markbates/goth/blob/master/examples/main.go#L233 will be called with the same state param.
