'Is it safe to use a signed string as an oAuth state?
I need to save user info when starting an oAuth login session. I've been doing this by saving a randomly generated string on the database with user data attached to it, then I attached that string on the browser session and used it as the state parameter.
I'm trying to prevent having to store data on a database as much as possible; so I thought about attaching the user info I need as a signed string.
I'm not entirely sure if this is a good practise, since oAuth.com states that the stateparameter should be a randomly generated string; but a signed string using RSA-SHA256 should look random enough to the client.
I'm also aware this may result on lengthy state parameters, but I don't think most of the oAuth services such as google really care about the state/URL length (or at least I don't see that listed on their documentation).
I'll be using a secure private key, of course.
So, the question is: is this a bad idea, or a good idea?
Refs: https://auth0.com/docs/secure/attack-protection/state-parameters
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|