https://www.ory.sh/ logo
Powered by
l

loud-keyboard-84117

02/19/2022, 3:40 PM
Hi #hydra, I'm getting this error when I redirect from to hydra authorize endpoint. Anyone familiar with this?
Copy code
AuthorizationError: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.
For ref: I'm using this library for creating a client: https://www.passportjs.org/packages/passport-oauth2/
1
I passed a random string and this redirected me now to login page.
Copy code
app.get(
  "/auth/hydra",
  passport.authenticate(
    "oauth2",
    {
      scope: ["openid", "offline", "photos.read"],
      state: "i'venoideawhathismeans",
    },
    { failureRedirect: "/error" }
  )
);
m

magnificent-energy-493

02/21/2022, 1:14 PM
The state parameter is used to protect against XSRF.
Your application generates a random string and sends it to the authorization server using the state parameter. The authorization server sends back the state parameter. If both state are the same => OK. If state parameters are different, someone else has initiated the request.
Does that make it clearer?
l

loud-keyboard-84117

02/22/2022, 7:39 PM
Where is this mentioned? I tried searching but couldn't find. It makes sense now to me. But in this case, we'll need to store somewhere to retain the state no?
m

magnificent-energy-493

02/22/2022, 7:46 PM
It is not mentioned in our documentation (yet), but I found this thread on SA that explains it well IMO. AFAIK ORy Hydra already takes care of retaining the state 🤔
l

loud-keyboard-84117

02/22/2022, 8:45 PM
This issue came across when I used passport to setup a local OAuth2 client to consume hydra.
So, the flow was supposed to be: OAuth2 client's endpoint -> passport handler -> hydra auth end point -> kratos login and accept hydra's challenge -> redirect to the redirect_to url. When I initiated the flow from client's endpoint, hydra threw an error asking for state.
@User, do you think it can work this way?
m

magnificent-energy-493

02/28/2022, 12:01 PM
Hello @User Sorry that fell off my radar. Would you mind opening a discussion for your last question? https://github.com/ory/hydra/discussions/new That way it can be tracked easier. I think you flow is correct but I am not sure what the issue is, so having a discussion on GitHub seems the best way to solve it, thanks 🙌
1
f

freezing-action-3915

05/14/2022, 4:50 AM
Not sure if you figured out your problem yet or not Himanshu, but I've found 
openid-client
(instead of passport-oauth2) to work better with passport to connect to hydra.
👀 1
l

loud-keyboard-84117

05/16/2022, 9:04 PM
since I had to use a dummy app to consume at that time, it worked with 
state:true
value. Did you get any issue with state using openid-client? I'll try openid-client this weekend.
f

freezing-action-3915

05/16/2022, 9:53 PM
afaik, openid-client sets state automatically. If you want to force set it to true, I don't know if that's possible (I haven't tried). If you just don't want to manage it yourself, I think that's fine.
l

loud-keyboard-84117

05/17/2022, 3:27 AM
awesome, thanks for confirming 🙌
5 Views
Powered by