State validation was added in 5.1.0 for improved security. By default, this uses session storage and will happen automatically if you are using a combination of Auth0::login() and any method which calls Auth0::exchange() in your callback.
If you need to use a different storage method, implement your own StateHandler and set it using the state_handler config key when you initialize an Auth0 instance.
If you are using Auth0::exchange() and a method other than Auth0::login() to generate the Authorize URL, you can disable automatic state validation by setting the state_handler key to false when you initialize the Auth0 instance. It is highly recommended to implement state validation, either automatically or otherwise
Closed issues
- Support for php-jwt 5 #210
Added
- Adding tests for state handler; correcting storage method used #228 (joshcanhelp)
Changed
- Bumping JWT package version #229 (joshcanhelp)