Comments (21)
Yeah, I'm trying to avoid adding yet another config parameter here, plus clear up some confusion about how require_state
is supposed to work. I'm not sure how require_state
ever worked as false
because stored_state
will always have a value since new_state
always sets the value to some random value.
from omniauth_openid_connect.
@skycocker @syakovyn @bufferoverflow I think require_state
was added in #127. Do you see any reason why we couldn't simplify this via:
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index ebfaaa1..6d80a66 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -120,7 +120,12 @@ module OmniAuth
def callback_phase
error = params['error_reason'] || params['error']
error_description = params['error_description'] || params['error_reason']
- invalid_state = (options.require_state && params['state'].to_s.empty?) || params['state'] != stored_state
+ invalid_state =
+ if options.require_state
+ params['state'].to_s.empty? || params['state'] != stored_state
+ else
+ false
+ end
raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
I'm not sure if state
is being used somewhere else, but if it's just forwarded back, there's no use in generating it?
from omniauth_openid_connect.
Oh, I see that was proposed in #127 (comment).
The issue here is that if the state
is generated by the authorize_uri
, chances are the OpenID provider will pass it along. So maybe we should have gone with the original implementation?
from omniauth_openid_connect.
Hi! Thanks for looking into this.
In the mean time, I've gone ahead and made a working though naive implementation of a solution introducing an additional send_state
config parameter.
I went with this solution because I didn't want to alter the behavior of the require_state
config parameter.
Hope this helps!
from omniauth_openid_connect.
Related Issues (20)
- Allow relaxing state check for IdP initiated SSO HOT 6
- Automatically set (and send?) redirect_uri HOT 2
- Dynamically Set ACR Values HOT 3
- OneLogin OIDC post_logout_redirect_uri issue HOT 3
- OpenID-provider without `userinfo_endpoint`
- Uninitialized constant json::jws::unknownalgorithm HOT 1
- Pitfalls setting up OIDC with ADFS HOT 2
- Why should the logout path be relative to request_path
- Possible bug when upgrading to 0.7.0 and openid_connect to 2.2.0 HOT 2
- When using jwks_uri, default value fails becuase it's not a URI
- OmniAuth::Strategies::OpenIDConnect::CallbackError, csrf_detected | Invalid 'state' parameter HOT 3
- Authentication failure! no implicit conversion of Hash into String (version 0.6.1) HOT 3
- Migration guide from gitlab-omniauth-openid-connect to this gem? HOT 4
- Problem using microsoft oauth2 as provider because of dynamic issuer HOT 22
- Dynamic client_options.redirect_uri value HOT 3
- Could not authenticate you from [My Provider name] because "Unknown" HOT 3
- Actioncontroller::InvalidAuthenticityToken with omniauth_openid_connect and omniauth-rails_csrf_protection HOT 1
- Getting a routing error after initialization HOT 3
- Back-channel Single Sign Out Support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from omniauth_openid_connect.