Why is the transaction id necessary?

[apichick]

Could you clarify why the transaction id is necessary? Wouldn't it be enough to check if the user is logged in?

[smaclell]

Some oauth workflows require multiple requests and responses with the user.

One example of this is when user consent is required. The first request would show a dialog asking for consent which then posts back to a second route. That second route needs all the information from the first request. Since some of the information may be sensitive, the framework saves it all for you as a transaction within the session. It is then reused within the second request via something like server.decision().

This is explained in the source code at:

oauth2orize/lib/middleware/authorization.js

Lines 11 to 16 in f6dabcc

	* Obtaining authorization via OAuth 2.0 consists of a sequence of discrete
	* steps. First, the client requests authorization from the user (in this case
	* using an authorization server as an intermediary). The authorization server
	* conducts an approval dialog with the user to obtain permission. After access
	* has been allowed, a grant is issued to the client which can be exchanged for
	* an access token.

I hope that helps.