Use nonce instead of state to store security token
Opened this issue · 3 comments
jalyna commented
Since the oauth api accepts now the nonce param (due to the open id connect changes), we might think about moving the security token to the nonce instead of the state. Also helping us to use the state for other stuff
jalyna commented
@nickcampbell18 wdyt?
nickcampbell18 commented
It sounds like we might need both - is this right?:
- If you're using login (
/sessions
), we're going to get an identity token back, and we can use the embeddednonce
attribute as a safe alternative to thestate
parameter - If you're using connect (
/connections
), we won't get an identity token back, and will therefore need to usestate
jalyna commented
@nickcampbell18 you are right, I will create a PR