Why state changes when requires authorization consent in Spring Authorization Server

Question

Using Spring security authorization server 1.0. When client first call /authorize endpoint and requires consent the state parameter is regenerated which causes error when move back to client redirect url. No changes found in recent version 1.2.

Anyone knows why this state value change?

---

Client calls with state value "stateA"

http://myauthserver.com/oauth2/authorize?response_type=code&client_id=myclient&scope=openid%20email&state=stateA&redirect_uri=http://myclient.com/login

Authorization Server regenerate state value with "Base64StringKeyGenerator" when requires consent. why?

Answer 1

It's an implementation detail of the way the filters work and doesn't really matter to the client or user. It's not really related to state in the OAuth2 authorization request. More specifically:

The authorization server uses the state parameter for the consent screen to track the submission of the user's consent from an HTML form.

1. OAuth2AuthorizationCodeRequestAuthenticationProvider generates the state parameter and stores it with the in-progress authorization for the user before rendering the consent screen.
2. OAuth2AuthorizationConsentAuthenticationProvider uses the state parameter to look up the same in-progress authorization during processing of the consent request and store the user's consent.

It's nice because then each user flow is unique while it is in progress, and isn't simply stored in the session (for example) such that it could get confused or overwritten later if the user abandons the flow halfway through. But it really is just an implementation detail.