Include state if defined in the request query.

[lefcha]

State can be passed with something like:

raise web.HTTPFound("/auth?state=%s" % state)

[mattrasband]

Thanks for contributing!

Can you expand on your goal to help me understand? Are you looking to make the library support state (just as a security mechanism) or are you wanting to pass a state from your main application that can be used when the user is redirected back after the oauth2 flow in the callback handler?

[lefcha]

I wanted to pass state as described at https://tools.ietf.org/html/rfc6749#section-4.1.1

state

RECOMMENDED. An opaque value used by the client to maintain
state between the request and callback. The authorization
server includes this value when redirecting the user-agent back
to the client. The parameter SHOULD be used for preventing
cross-site request forgery as described in Section 10.12.

But noticed this is marked as TODO in the code: https://github.com/mrasband/aiohttp-oauth2/blob/bbcc1d82099f14c31af6b7c2f232b9457f6ae46c/aiohttp_oauth2/client/views.py#L23

[mattrasband]

I’m traveling for the next week, so will be back in touch in a bit. However I think for that to be useful we can’t have it generated by a client coming in and we’d need to validate it on the callback.

I’ve added #13 to make sure to not lose this!

[lefcha]

Great, we can close this then, and implement it in a better way. Thanks!