I have some security concerns about the first step of account authentication in my application.
The authentication goes through an OpenID provider. If the response of such provider shows that the user is already registered, I authenticate him, sending an auth token that will be stored in a cookie and send back as a Bearer header. The token is signed using JWT and the session kept in Mongo. If that's the first time he authenticate in, I create the account and do the same process.
It seems insecure to me because I don't use the state parameter of the OpenID since I can't generate something based on an user that maybe doesn't exists yet.
I've seen multiple times that the use of such parameter was strongly recommended, but also answers like this one saying this was useless.
He will also have to authenticate on another Oauth provider after that, but since this operation will be available only with logged users, I can easily generate and send the state parameter to the provider using some sort of encryption with the user id to help me retrieve him, and nobody can trick the session.
I've also see that it's not a good practice to check for the referrer url of the Oauth callback, but it seems quite securing to me, since it deny attacks on the client.
Please note that the application will be using SSL so there will not be concerns about MITM.
I know I can create a local user using the classic email and password association and then authenticate with the two OpenID providers, but I would like to skip such boring process, is that possible, securely?
