www-editor does not work with correct IndieAuth implementations
It appears that since yesterday's conversations in indieweb-dev about authorization code (re-)usage, IndieAuth flows are broken for me when using indieauth.com, due to me also misimplementing this.
Instead of relying on the me
from the validation of the authorization code (which means it can't be reused for the token endpoint) we need to instead map the me
from the authorization request to the state
parameter.
This must be done in the IndieAuthService
:
String retrieveMeForState(String state);
And will require internal tweaks to make it work.
Plus, if the authorization code is used, the state must be removed.
Edited by Jamie Tanna