Android unable to overwrite State request parameter

Questions OAuth/OIDC
1

Hi,

I’m working on a project with both Android and iOS apps. On login, we’re looking to pass additional information within the State request parameter.

Android is unable to change State from its default. iOS is able to overwrite State. Looking at the examples I can see both Go and Spring Boot are also able to set State.

Would it be possible to update the Android to make it possible to change the State request parameter?

In case it’s helpful, the problem looks to be in com.okta.oauth2.AuthorizationCodeFlow.

The public fun start() (Line 106) sets the default value for State without a way to change it.
The internal fun start() (Line 121) adds this State as a query parameter without checking extraRequestParameters to see if a State value has already been added (multiple will cause an error).

For solutions I think either:

  • The the public start() could provide an overloaded version that exposes State or move State to a default parameter.
  • The internal start() could avoid adding the default State if State has already been added using extraRequestParameters.

Unsure if I was best to post this here or directly on the Github issues. Hopefully this is ok.

Thanks

2

Hi Gwen,

Umm…

On line 109, scope is set to a default parameter but if you pass that when start is called you’ll get the new value. So I’m not really seeing the problem.

But I am curious why you want state? I have never used state for any native application or a single page application. State is great for web applications where you don’t have a way to remember what the user was asking for because they didn’t have a session (although you could create a “non-logged-in” session in some environments). In a native application it’s still running when the callback occurs so you have the memory, you know what you were doing!

Regards,
Joel

1 Like