How to pass custom params to the state value

Hello,

Please advise hot to pass my own params to the state? I was trying doing this $client->state = '1234567890check'; But it doesn't work. Can you please add some flexibility to the State value? Thanks

State parameter by default is designed in Auth 2.0 for passing the certain custom value to the provider's api and get exactly the same value as a response from round-trip api call. Which means if I define state='my-own-token-123' that value will go to the Api provider's server and come back as a response in the url from the provider for checking if those values are the same. So the question is - How to pass any custom value in "state" using your class?

Thanks

The class generates a random state value and stores it in the storage container (defaults to PHP sessions). This is just for data tampering prevention.

If you store custom values to access when the user returns from authorization page, you can use your own session variables.

Is there a reason why you would like to use the actual state value passed back and forth to the authorization server?

Hello Manuel,

Thanks for your reply.
Yes, I saw that your class handles the random session values to prevent data tampering and would be good if would be a way to define custom (own) values to the "state" param - something like $client->state = 'my-own-1234567890-value'; I would think you may add condition to the class if $client->state = '' (empty) then class will use the random session ($_SESSION['OAUTH_STATE']) otherwise use the defined value!

Thanks

I can provide means to override the state value.

The question is why do you need that? Is there a use case on which it would be interesting for you to use the OAuth state instead of other PHP session variables of your control?

Actually I want to use your class in a cross-domain operation. The oauth class will be installed on one domain where I want create a signature with some parameters and pass it as a "state" value. On a different domain I want to accept authentication based on signature params from "state" value. So that is why I'm interesting in a custom value for state parameter.

I see.

Well currently the class not only generates a random state value, but it also checks the time of when the state value was generated to avoid repetition attacks.

If you completely override the state value, the class will not be able protect against repetition attacks.

Anyway, the class itself uses a session variable to store the state value.

Wouldn't using a separate PHP session variable solve your problem?

The current logic of the class is great indeed and I believe it should stay as it is further but with little more flexibility using condition IF for the state parameter. As for my case, I'm thinking to use my own encode/decode algorithm instead of php session therefore I would prefer to use state value just with my params (where I can wrap the timestamp as well as check that later to prevent repetition attacks).

So as I have mentioned previously, would be really good to add to your class empty state option $client->state = '' (similar to $client->scope = '') -> if $client->state = '' (empty) then class will use build-in random session ($_SESSION['OAUTH_STATE']) otherwise use the defined value.

Thanks