0

I'm using the Microsoft identity platform and OAuth 2.0 authorization code flow to authorize user information from Microsoft Azure. In my Ruby code I parse the state parameter to microsoft:

config.omniauth :azure_oauth2, client_id: "xxxxxxxxxxxx", client_secret: "xxxxxxxxxxxx", tenant_id: "xxxxxxxxxxxx", scope: "user.read", state: "development", response_type: "token", response_mode: "query"

I'm supposed to receive a state parameter with the same value ("development") as I sent. But seems I got a hashing value for it after microsoft received my request:

https://login.microsoftonline.com/xxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fomniauth%2Fazure_oauth2%2Fcallback&response_type=code&scope=user.read&state=6ff45c77bf433d3bf33dd8df956fda77d62467c0b29b6f4c&sso_reload=true

Any idea? Thanks.

Dr.Black
  • 13
  • 1

1 Answers1

0

This is working as per design , state will randomly generated unique value is typically used for preventing cross-site request forgery attacks. The state is also used to encode information about the user's state in the app , see the docs for more details - https://learn.microsoft.com/en-us/graph/auth-v2-user enter image description here

vicky kumar
  • 563
  • 3
  • 11
  • Well, it didn't say it's generated randomly. You can parse any value for a request and you are supposed to get the same value from the callback as well. – Dr.Black Jun 06 '22 at 15:32
  • Hi @Dr.Black , Sorry for delayed response ,what you said it make sense, we tried from our end we are unable to repo it ,could you please try using the API directly in your browser, seems like there is something going wrong with the code , as i can see you are using response_type="token" ,could you please try using response_type=code, lets see , you can also share the code you tried . – vicky kumar Jun 16 '22 at 08:33