0

There is a requirement from the identity server of not to pass 'state' and 'scope' in the URL.

The request is in following format

URL?app=xxx&response_type=code&client_id=yyy&state=zzz&redirect_uri=aaa&scope=openid%20id%20offline_access**

Angular code loads the Auth Config as follows:

export const authConfigDefaults: AuthConfig = Object.freeze({
  oidc: false,
  responseType: 'code',
  scope: 'openid id offline_access',
  strictDiscoveryDocumentValidation: false,
  redirectUri: redirectURL,
  silentRefreshTimeout: HALF_HOUR,
  fallbackAccessTokenExpirationTimeInSec: HALF_HOUR,
  useSilentRefresh: true
});

'state' is passed in the URL even if I try to set 'state' = '' in the above block.

How to avoid state and scope in the URL which is passed to identity server?

Improve this question
1
  • state is indeed optional for the client the pass, but it's required for the server to support. Sounds like both your server and client are buggy. Commented Sep 6, 2022 at 9:36

1 Answer 1

Reset to default
0

You must pass scope and state as parameters to IdentityServer, that is how OpenID Connect works...

why do you not want to pass it?

I recently blogged about the state and nonce parameter here:

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

state is optional
Yes, state might be optional but it is recommended security best practice to keep , together with PKCE

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.