When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.
"One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end."
The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...": https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
Value parameters
- secretsProvider
- signatureAlgorithm
-
defaults to a sensible value, but you can consider using AntiForgeryChecker#signatureAlgorithmFromPlay
Attributes
- Companion
- object
- Graph
-
- Supertypes
-
trait Serializabletrait Producttrait Equalstrait Loggingclass Objecttrait Matchableclass Any