Reputation: 119
Using authentication JWT token as "state" with OAuth
i am building OAuth authentication with Instagram, problem is that i am using react native and process happens in webbrowser module, so flow goes like this
- user clicks on login button in the application.
- code (
expo-web-browser) opens up instagram authorization window and user enters credentials. - code is generated and sent to my callback url.
i parse that code and exchange for access_token and userId but i also need to access id of user of my application, i haven't found any other way other than passing jwt in the state param and then parsing it in callback route, but as state is originally built for security, and this is not its primary usecase, would i face with any security threats going on this path?
Upvotes: 0
Views: 678
Answers (1)
Reputation: 16775
as state is originally built for security, and this is not its primary usecase, would i face with any security threats going on this path?
With your use case, if the state can be guessed by an attacker, you will lose all the benefits. What I recommend here is to have a kind of structured state. For example, you could generate a random string and concatenate it to the data you want to get back:
{"userID":"user123","data":"another important data"}:put here a random string that act as a state
You could encode the data into base64 url safe in case of presence of specific characters
Upvotes: 1
Related Questions
- Why JWT is a stateless authentication?
- Can a JWT be stateful?
- REST API Authentication stateless
- Jwt authentication on node-js and react -js
- Using JWT for Authorization in Node
- How can i send jwt token to client after OAuth autherization?
- Store token with React
- JWT Auth for NodeJS and Auth0
- passport and JWT
- Combining a passport openID-stategy with JWT