https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #1)
This is a recommended openid-connect parameter [1] and OAuth2 integrations seem to require it [2], but I'm not sure if it should be enforced. Basically because I don't know all the IdPs around.
It looks like OAuth2 also only recommends it: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 However, the specs do say that the "state" parameter is required in the Authorization Response if it was included in the Authorization Request: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 I suspect that most IdPs should support "state" if they want to be spec compliant, although I suppose there's no guarantee. I've certainly dealt with 1 non-compliant IdP in the past, although that was nearly 10 years ago now. If we are worried, I think we could make using "state" optional in terms of whether or not to send it, but... I think it should be all right. -- You are receiving this mail because: You are watching all bug changes.