Use nonce instead of state to store security token

Question

Use nonce instead of state to store security token

Opened this issue 3 years ago · 3 comments

Since the oauth api accepts now the nonce param (due to the open id connect changes), we might think about moving the security token to the nonce instead of the state. Also helping us to use the state for other stuff

see also https://stackoverflow.com/questions/46844285/difference-between-oauth-2-0-state-and-openid-nonce-parameter-why-state-cou

Answer 1 · 2021-07-21T09:42:31.000Z

@nickcampbell18 wdyt?

Answer 2 · 2021-07-21T10:14:01.000Z

It sounds like we might need both - is this right?:

If you're using login (/sessions), we're going to get an identity token back, and we can use the embedded nonce attribute as a safe alternative to the state parameter
If you're using connect (/connections), we won't get an identity token back, and will therefore need to use state

Answer 3 · 2021-07-22T07:05:12.000Z

@nickcampbell18 you are right, I will create a PR