Hi folks, I’ve setup JupyterHub and used custom oauthentication from my server to allow users to log in. I’ve modified the workflow such that it returns the user data during the first API request to /oauth/authorize. Exactly how does the state query param that is passed prevent another person (hacker) from capturing that state and setting their browser cookie and logging in? Does it have anything to do with the cookie secret that is set initially?
If everything is encrypted (https) at worst an attacker snooping on your network would see the domains or IPs you’re visiting but they wouldn’t see the rest of the URL, nor would they see any cookies or other sensitive information.
If you’re not using https then there’s not much you can do, the attacker will be able to see everything.
Edit: see this post for an explanation of the login process: