Why was the state parameter removed from WebServerClient:RequestUserAuthorization in version 4.0.1.12097

Question

I have been using DotNetOpenAuth v3.5.0.10357 for about a year now and finally decided to upgrade to v4.0.1.12097. In doing so, I noticed the RequestUserAuthorization method no longer accepts a state parameter.

//v3.5.0.10357
WebServerClient:RequestUserAuthorization(IEnumerable<string> scope = null, string state = null, Uri returnTo = null);

//v4.0.1.12097
WebServerClient:RequestUserAuthorization(IEnumerable<string> scope = null, Uri returnTo = null);

Facebook documentation, mentions this helps guard against Cross-site Request Forgery. What was the reasoning for the removal?

score 0 · Accepted Answer · answered Jul 01 '12 at 01:44

0

Well, after a bit more digging I found out why it was removed. DotNetOpenAuth does state checking internally (EndUserAuthorizationRequest.ClientState), leaving one less thing for us to worry about. Nicely done!

answered Jul 01 '12 at 01:44

mateuscb

10,150
3
52
76

1

Correct. I'm glad that our purposes for that variable coincide! – Andrew Arnott Jul 01 '12 at 13:12

Why was the state parameter removed from WebServerClient:RequestUserAuthorization in version 4.0.1.12097

1 Answers1