> > 'Sent from the user' -> I assume that's sent from the user's browser, > but to whom? To the Authorization endpoint? And is that supposed to be > set by the Relying Party? >
Sent from users's browser to Google's authorization endpoint. Relying party need to do the state validation hence I think RP should set the cookie value. On Mon, Jun 25, 2018 at 3:34 PM, Robert Munteanu <romb...@apache.org> wrote: > On Mon, 2018-06-25 at 15:30 +0530, Hasini Witharana wrote: > > > > > > When the auth endpoint calls back to the relying party > > > (authorization > > > code request) with a state parameter, we need to check that it is > > > valid > > > against a particular user, right? But how do we identify that > > > specific > > > user (in Apache Sling), since there is no authentication done? > > > > > > > We need to validate it against the authorization request sent from > > the > > user, that is why I need a cookie. > > > 'Sent from the user' -> I assume that's sent from the user's browser, > but to whom? To the Authorization endpoint? And is that supposed to be > set by the Relying Party? > > Robert > -- *Hasini Witharana* Undergraduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
