https://www.ory.sh/ logo
Join Slack
Powered by
Hi <#C012RBW0F18|hydra>, I'm getting this error wh...
# talk-hydra
l
Hi #hydra, I'm getting this error when I redirect from to hydra authorize endpoint. Anyone familiar with this?
Copy code
AuthorizationError: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.
For ref: I'm using this library for creating a client: https://www.passportjs.org/packages/passport-oauth2/
1
I passed a random string and this redirected me now to login page.
Copy code
app.get(
  "/auth/hydra",
  passport.authenticate(
    "oauth2",
    {
      scope: ["openid", "offline", "photos.read"],
      state: "i'venoideawhathismeans",
    },
    { failureRedirect: "/error" }
  )
);
m
The state parameter is used to protect against XSRF.
Your application generates a random string and sends it to the authorization server using the state parameter. The authorization server sends back the state parameter. If both state are the same => OK. If state parameters are different, someone else has initiated the request.
Does that make it clearer?
l
Where is this mentioned? I tried searching but couldn't find. It makes sense now to me. But in this case, we'll need to store somewhere to retain the state no?
m
It is not mentioned in our documentation (yet), but I found this thread on SA that explains it well IMO. AFAIK ORy Hydra already takes care of retaining the state 🤔
l
This issue came across when I used passport to setup a local OAuth2 client to consume hydra.
So, the flow was supposed to be: OAuth2 client's endpoint -> passport handler -> hydra auth end point -> kratos login and accept hydra's challenge -> redirect to the redirect_to url. When I initiated the flow from client's endpoint, hydra threw an error asking for state.
@User, do you think it can work this way?
m
Hello @User Sorry that fell off my radar. Would you mind opening a discussion for your last question? https://github.com/ory/hydra/discussions/new That way it can be tracked easier. I think you flow is correct but I am not sure what the issue is, so having a discussion on GitHub seems the best way to solve it, thanks 🙌
1
f
Not sure if you figured out your problem yet or not Himanshu, but I've found 
openid-client
(instead of passport-oauth2) to work better with passport to connect to hydra.
👀 1
l
since I had to use a dummy app to consume at that time, it worked with 
state:true
value. Did you get any issue with state using openid-client? I'll try openid-client this weekend.
f
afaik, openid-client sets state automatically. If you want to force set it to true, I don't know if that's possible (I haven't tried). If you just don't want to manage it yourself, I think that's fine.
l
awesome, thanks for confirming 🙌
5 Views
Open in Slack
PreviousNext
Powered by