PHP Classes

State Parameter

Recommend this page to a friend!

      PHP OAuth Library  >  PHP OAuth Library package blog  >  Learn with a PHP OAut...  >  All threads  >  State Parameter  >  (Un) Subscribe thread alerts  
Subject:State Parameter
Summary:Passing a state param to oauth request so response has it too
Messages:6
Author:Jon Abaca
Date:2017-07-18 07:37:53
 

  1. State Parameter   Reply   Report abuse  
Picture of Jon Abaca Jon Abaca - 2017-07-18 07:37:53
Good day,

I am using the OAuth class to link google account to our own user account. I would like to pass the user id to the oauth request. When it goes to the redirect URI, it will pass the user id back. Do you have an example of this?

Kind regards,

Jon

  2. Re: State Parameter   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2017-07-18 07:51:37 - In reply to message 1 from Jon Abaca
I am not sure what you mean.

Do you want to force authorizing on behalf of a specific user?

  3. Re: State Parameter   Reply   Report abuse  
Picture of Sebas Sebas - 2017-08-19 19:16:57 - In reply to message 2 from Manuel Lemos
State parameter by default is designed in Auth 2.0 for passing the certain custom value to the provider's api and get exactly the same value as a response from round-trip api call. Which means if I define state='my-own-token-123' that value will go to the Api provider's server and come back as a response in the url from the provider for checking if those values are the same. So the question is - How to pass any custom value in "state" using your class?

Thanks

  4. Re: State Parameter   Reply   Report abuse  
Picture of James AwokeKnowing James AwokeKnowing - 2018-08-01 17:11:56 - In reply to message 3 from Sebas
Did you find a solution for this?

  5. Re: State Parameter   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2018-08-02 04:53:48 - In reply to message 3 from Sebas
Hello Sebas and James,

Sorry for the late response. The class sets the state to a specific value not only to set verify it is the same, but also to embed an expiry time to avoid security attacks.

I recommend that you avoid changing the state to an arbitrary value, or else the class will not be able to verify it with all the security requirements.

Anyway, if you tell me why you want to change the state parameter I may figure out a better solution. Can you explain?

  6. Re: State Parameter   Reply   Report abuse  
Picture of James AwokeKnowing James AwokeKnowing - 2018-08-02 15:07:39 - In reply to message 5 from Manuel Lemos
Hi, I understand why having the state be handled internally can help avoid mistakes which might allow people to re-use responses.

However, from this article it seems state was indeed intended for 'state'.

thread-safe.com/2014/05/the-correct ...

Anyways, I work with an api project that does not use $_SESSION. Everything is stateless REST. So when a user logs in, I need to get them back to the page they're supposed to be at, and have some other state info. However, many oauth servers require preregistered redirect_uri and if you add parameters there, it fails.

So concretely the issue is that when the user arrives back at redirect_uri, I have no idea where this belongs, to forward him there. Furthermore, users are grouped into organizations, and I have no idea what organization to put the user into up first registration.

The workaround is to go ahead and start the session and store some state. But again, that was the point of 'state' originally. To pass some state. Now it's been coopted to serve as just kind of a 'nonce'