What’s the purpose of static State variable

[vivekprm]

I was going through custom login samples. We are using static state while implementing authorization-code flow, what’s the point of static state as it’s leaking into frontend?

If I change it to random string then how can I compare it across different requests (i.e. authorize and token call) as there is nothing common in both these requests and are stateless?

One approach I could think of is adding state into a cache and while getting the token check state is present in the cache.

However, it doesn't compare the state specifically but reduces the risk.

[fwiedmann]

@vivekprm hey hey, I guess they use the static state just for simplicity and only for the purpose of a demo. Note that the value of the nonce should also be random per login request. You could make use of the session store which is used in the demo to persist the received access_token and id_token in the callback handler.

The session pkg stores the data in a secured encrypted cookie in the browser of the clients. Also note for production that the encryption key should be passed into your app via e.g. a environment variable.

[bretterer]

Yes, this is correct. The state is just for demo purposes. State can be anything to describe your current state of your application, and is passed back and forth to help you know what is going on.

[fwiedmann]

@bretterer could I create a PR with some improvemnets?

• Passing the session store encryption key via env like client credentials
• create a random nonce and state for auth requests
• Change the http redirect status code to temporary redirect

[bretterer]

We always welcome PRs in our repos. If you do, please fill out our CLA. Details can be found at developers.okta.com/cla

[vivekprm]

#39 Added support for passing encryption keys and dynamic state.