diff --git a/src/main/java/me/zhyd/oauth/config/AuthConfig.java b/src/main/java/me/zhyd/oauth/config/AuthConfig.java
index e17bcd89a5aba83ccac8faefb4244f2087ea6710..153585eddfbdfe009ed207f4382169ad1c2f798d 100644
--- a/src/main/java/me/zhyd/oauth/config/AuthConfig.java
+++ b/src/main/java/me/zhyd/oauth/config/AuthConfig.java
@@ -2,6 +2,7 @@ package me.zhyd.oauth.config;
import com.xkcoding.http.config.HttpConfig;
import lombok.*;
+import me.zhyd.oauth.model.AuthCallback;
/**
* JustAuth配置类
@@ -79,4 +80,22 @@ public class AuthConfig {
* @since 1.15.5
*/
private HttpConfig httpConfig;
+
+ /**
+ * 忽略校验 {@code state} 参数,默认不开启。当 {@code ignoreCheckState} 为 {@code true} 时,
+ * {@link me.zhyd.oauth.request.AuthDefaultRequest#login(AuthCallback)} 将不会校验 {@code state} 的合法性。
+ *
+ * 使用场景:当且仅当使用自实现 {@code state} 校验逻辑时开启
+ *
+ * 以下场景使用方案仅作参考:
+ * 1. 授权、登录为同端,并且全部使用 JustAuth 实现时,该值建议设为 {@code false};
+ * 2. 授权和登录为不同端实现时,比如前端页面拼装 {@code authorizeUrl},并且前端自行对{@code state}进行校验,
+ * 后端只负责使用{@code code}获取用户信息时,该值建议设为 {@code true};
+ *
+ * 如非特殊需要,不建议开启这个配置
+ *
+ * 该方案主要为了解决以下类似场景的问题:
+ * @see https://github.com/justauth/JustAuth/issues/83
+ */
+ private boolean ignoreCheckState;
}
diff --git a/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java b/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java
index fe17868858a78efbf16a16f74fc1f0f5ee188ed0..241840008717da963680ebff7f7dd472081abf21 100644
--- a/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java
@@ -74,7 +74,9 @@ public abstract class AuthDefaultRequest implements AuthRequest {
public AuthResponse login(AuthCallback authCallback) {
try {
AuthChecker.checkCode(source, authCallback);
- AuthChecker.checkState(authCallback.getState(), source, authStateCache);
+ if (!config.isIgnoreCheckState()) {
+ AuthChecker.checkState(authCallback.getState(), source, authStateCache);
+ }
AuthToken authToken = this.getAccessToken(authCallback);
AuthUser user = this.getUserInfo(authToken);