how to add state param for Uberauth in Elixir

Question

During oAuth process it's good to set state param to authorize url for security. When I checked Überauth Shopify https://github.com/kodehort/ueberauth_shopify/blob/master/lib/ueberauth/strategy/shopify.ex#L88 it is sent to shopify.

But I don't understand how I need to set this state param in my Phoenix application that Shopify would get it. Any suggestions?

score 1 · Answer 1 · answered Jul 11 '21 at 19:22

1

Since recent, Ueberauth auto-sets and checks it for you by default, to protect you from CSRF.

answered Jul 11 '21 at 19:22

Kevin Johnson

1,890
13
15

score 0 · Accepted Answer · answered Mar 09 '19 at 17:22

0

You supply state in the URL you're passing to Ueberauth (In the same way, scopes are passed as well)

Depending on your router setup, with the default being:

pipeline :auth do
  Ueberauth.plug "/auth"
end

scope "/auth" do
  pipe_through [:browser, :auth]

  get "/:provider/callback", AuthController, :callback
end

you supply scopes and state by redirecting your user to the specified auth URL:

/auth/shopify?scopes=read_orders%20read_products&state=yourSuperSecretState

or without any scopes:

/auth/shopify?state=yourSuperSecretState

answered Mar 09 '19 at 17:22

Jonas Dellinger

1,294
9
19

oh, thanks. I thought it's possible to set somehow in a code – kritik Mar 11 '19 at 06:25
If the answer works for you, you should also accept it ;) – Jonas Dellinger Mar 11 '19 at 09:06

how to add state param for Uberauth in Elixir

2 Answers2