angular-oauth2-oidc - Not passing 'State' and 'Scope'

Question

There is a requirement from the identity server of not to pass 'state' and 'scope' in the URL.

The request is in following format

URL?app=xxx&response_type=code&client_id=yyy&state=zzz&redirect_uri=aaa&scope=openid%20id%20offline_access**

Angular code loads the Auth Config as follows:

export const authConfigDefaults: AuthConfig = Object.freeze({
  oidc: false,
  responseType: 'code',
  scope: 'openid id offline_access',
  strictDiscoveryDocumentValidation: false,
  redirectUri: redirectURL,
  silentRefreshTimeout: HALF_HOUR,
  fallbackAccessTokenExpirationTimeInSec: HALF_HOUR,
  useSilentRefresh: true
});

'state' is passed in the URL even if I try to set 'state' = '' in the above block.

How to avoid state and scope in the URL which is passed to identity server?

`state` is indeed optional for the client the pass, but it's required for the server to support. Sounds like both your server _and_ client are buggy. — Evert, Sep 06 '22 at 09:36

score 0 · Answer 1 · answered Sep 06 '22 at 09:21

0

You must pass scope and state as parameters to IdentityServer, that is how OpenID Connect works...

why do you not want to pass it?

answered Sep 06 '22 at 09:21

Tore Nestenius

16,431
5
30
40

`state` is optional – Evert Sep 06 '22 at 09:35
Yes, state might be optional but it is recommended security best practice to keep , together with PKCE – Tore Nestenius Sep 06 '22 at 17:17

angular-oauth2-oidc - Not passing 'State' and 'Scope'

1 Answers1