The page https://developers.google.com/identity/openid-connect/openid-connect advises how can we maintain state in session on the service for retrieving it and validating later once we obtain auth code from OP.
But how to do maintain state in a RESTful service which is stateless ? Please help.
Code like request.session().attribute("state", state) wont work there.
I am using .net core webapi for services and JavaScript for UI development
2
Answers
So, this is what I did. I created an end point which I invoke (before redirecting to OP) to generate the state and also return an http only cookie. Next when I make a service call (like) to retrieve token for authcode I pass state (retrieved from URL) and the httponly cookie to the service. The service EP validates that the state obtained from the cookie and the one passed in the body are equal. If its same then we are good otherwise it rejects that request.
You can save the state in an encrypted cookie, for example. And in ASP.NET Core, the data stored in the session cookie is encrypted using the Data Protection API.
But in general, you should use the built-in dedicated Google authentication handler, as described here:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-7.0
Then it is all handled for you.