Let me introduce the problem and how I discovered Auth0.
We sell a thing you might call a network appliance. It is a smart gateway to embedded devices. One end serves a basic HTTP/websocket; we want to bump up security and add social integration.
You might have seen the problem already: we have multiple servers and users logged to one cannot be accepted in the other.
So my idea was to pass a custom JWT to the login page so I can encode an unique server id and use a rule to annotate the resulting user profile.
I’m having an hard time wrapping my head about the documentation. I found something about auth:params regarding Lock’s option object but it is unclear to me if I can put arbitrary parameters there. Besides, Lock somehow went modal instead of taking me to the hosted page. I want HTTPS and the green lock.
So I tried Auth-js. It has been surprisingly smoother. I managed to get my rule to reject the login as the server-id I was looking for was not there.
So I guess the ‘state’ isn’t really just a black blob as a security measure but it is actually arbitrary data? Even if it is, am I supposed to put such important information there?
I read the documentation again and again and while I had the impression ‘state’ could be arbitrary, the constant references to the attack vectors made me think it was really supposed to be… some kind of random blob? Better to leave auth0-js to generate it for me?