use_state=True is a bad default
ichernev opened this issue · 1 comments
As far as I can tell, the state/use_state feature is not a very useful one:
- if the web server has more than one instance it is useless
- if there is one instance, but there is more than one flow "in-flight", it's also broken (login for user A, login for user B, callback for A, callback for B)
Also I fail to understand what security benefits it gives over the "bare" SSO flow.
In any case, if somebody has a single server and plans to run a single flow at a time (i.e very light load and doesn't care if it breaks from time to time), then maybe use_state may make sense. So I suggest to have the default be False.
Apparently some people got beaten by this, but they couldn't figure it out further: https://stackoverflow.com/questions/68163139/detailstate-parameter-in-callback-request-does-not-match-our-internal-st/75009370#75009370
Hi and thanks for this issue!
I absolutely agree this was a bad choice and will remove the use_state in future releases. You either set your own state and manage it by yourself or you don't want to use it at all (which should be default).