case classAntiForgeryChecker(signingSecret: String, signatureAlgorithm: SignatureAlgorithm, sessionIdKeyName: String = "play-googleauth-session-id") extends Product with Serializable
When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication
sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id
in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the
same browser session.
"One good choice for a state token is a string of 30 or so characters constructed using a high-quality
random-number generator. Another is a hash generated by signing some of your session state variables with
a key that is kept secret on your back-end."
- https://developers.google.com/identity/protocols/OpenIDConnect#createxsrftoken
The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...":
https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
Linear Supertypes
Serializable, Serializable, Product, Equals, AnyRef, Any
When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.
"One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end." - https://developers.google.com/identity/protocols/OpenIDConnect#createxsrftoken
The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...": https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01