I am using a OAuth In App client. The client is a cloud server.
This cloud server receives the code in OAuth 2.0 authorization code flow. The cloud server then requests smarthings cloud for access token.
I want to know if i can send a variable like state in the sign in url so that i can use this variable on my cloud component when the code is received.
Could you not create an object that includes the variable and encode that as the existing state parameter, or am I missing the point?
Actually i have 2 components
app : user scans qr and sign in
This should be the sender of a unique string i want to use in my second component
Cloud server : this is the oauth in app client which receives the code with state parameter and then requests for access token
Currently i am putting the unique string in the state parameter and then receiving it on the cloud server and then directly using it but if in case in the middle of oauth 2.0 sign in the state parameter changes the cloud dont really know it and simply uses it ahead which is not ideal.
Welcome back to the SmartThings Community, @Krushnali_Tiwari!
What do you mean by it changing it in the middle of OAuth sign in? I’ve seen the parameter’s value is carried through the different steps and doesn’t change, but if you have seen it changes, we can investigate further.
Or do you mean in case it changes on your side?
Cross-Site Request Forgery (CSRF) Protection:
When code value is received application verifies that the state value returned by the authorization server matches the one it originally sent. If they do not match, it indicates a potential CSRF attack, and the authorization process should be aborted. This prevents an attacker from tricking a user into granting access to a malicious application.
This is the actual work of the state parameter. In my case the cloud platform dont really know the state value it is a unique value which is sent by the app. Which is raising some security flags.
Does the ‘unique value’ have meaning in itself? For example, is it effectlvely an identifier for your cloud server?
Do you have much flexibility at the app end? If the ‘unique value’ is meaningful it would be better if you could reversibly obfuscate it as thestatein such a way that it an invalid state could be recognised.