Comment by humanlity
3 years ago
How can I solve this problem cheaply? Here are a few thoughts:
- Generate an encrypted token based on the redirect state value. - Store the mapping of tenant_id and unique state. - wait Microsoft support wildcard redirects.
First, just don't enable implicit grant. That makes it a lot harder to screw up.
State is for preventing CSRF, not transferring data. Don't abuse state, it's wrong.
Use your own authorize url, add an encrypted cookie and redirect to the real one. Even if the cookie is encrypted, only put some kind of session/cache key in it, don't actually send "info". Read cookie in callback then delete it.
Ok, I get it, Thanks