Make the state parameter verification optional #127
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
skycocker
changed the title
skycocker
force-pushed
the
122-ms-optional_state
branch
from
82ca2a2 to
bbe06b6
Compare
syakovyn
reviewed
Oct 27, 2022
| error = params['error_reason'] || params['error'] | ||
| error_description = params['error_description'] || params['error_reason'] | ||
| invalid_state = params['state'].to_s.empty? || params['state'] != stored_state | ||
| invalid_state = options.verify_state && (params['state'].to_s.empty? || params['state'] != stored_state) |
There was a problem hiding this comment.
I'd not exclude state mismatch from the check. Only a case when there is no state stored and no state passed.
Maybe change it to:
(options.require_state && params['state'].to_s.empty?) || params['state'] != stored_stateand use require_state instead of verfiy_state
Contributor
Author
There was a problem hiding this comment.
Fair - made the changes.
skycocker
force-pushed
the
122-ms-optional_state
branch
from
bbe06b6 to
19b1c3d
Compare
syakovyn
approved these changes
Oct 27, 2022
Contributor
|
Can you rebase |
Contributor
|
There are also Rubocop failures in https://github.com/omniauth/omniauth_openid_connect/actions/runs/3338515447/jobs/5862634541. |
skycocker
force-pushed
the
122-ms-optional_state
branch
from
19b1c3d to
de13bcf
Compare
skycocker
force-pushed
the
122-ms-optional_state
branch
from
de13bcf to
96de262
Compare
Contributor
Author
|
Addressed. |
stanhu
reviewed
Nov 21, 2022
CHANGELOG.md
Outdated
| @@ -1,3 +1,7 @@ | |||
| # v0.4.1 (06.02.2022) | |||
Contributor
There was a problem hiding this comment.
We should probably create an UNRELEASED section, and update this after the official release has been cut.
stanhu
reviewed
Nov 21, 2022
stanhu
reviewed
Nov 21, 2022
syakovyn
approved these changes
Nov 21, 2022
omniauth#132 refactored the test so that nonce is automatically generated.
stanhu
added a commit
that referenced
this pull request
Jun 27, 2024
In #127, `require_state` was introduced because according to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1, `state` is recommended but not required: ``` state RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. ``` During review, the `require_state` parameter was modified to verify `state` as long as `stored_state` was present. However, `stored_state` always holds at least a random value, so when `require_state` were `false` and if an OpenID provider did not relay the `state` value, authentication would halt with a "Invalid 'state' parameter" error. This commit updates it so that if `require_state` is set to `false`, the `state` parameter is never checked at all.
stanhu
added a commit
that referenced
this pull request
Jun 27, 2024
In #127, `require_state` was introduced because according to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1, `state` is recommended but not required: ``` state RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. ``` During review, the `require_state` parameter was modified to verify `state` as long as `stored_state` was present. However, `stored_state` always holds at least a random value, so when `require_state` were `false` and if an OpenID provider did not relay the `state` value, authentication would halt with a "Invalid 'state' parameter" error. This commit updates it so that if `require_state` is set to `false`, the `state` parameter is never checked at all.
stanhu
added a commit
that referenced
this pull request
Jun 27, 2024
In #127, `require_state` was introduced because according to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1, `state` is recommended but not required: ``` state RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. ``` During review, the `require_state` parameter was modified to verify `state` as long as `stored_state` was present. However, `stored_state` always holds at least a random value, so when `require_state` were `false` and if an OpenID provider did not relay the `state` value, authentication would halt with a "Invalid 'state' parameter" error. This commit updates it so that if `require_state` is set to `false`, the `state` parameter is never checked at all.
bufferoverflow
pushed a commit
that referenced
this pull request
Jun 28, 2024
In #127, `require_state` was introduced because according to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1, `state` is recommended but not required: ``` state RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. ``` During review, the `require_state` parameter was modified to verify `state` as long as `stored_state` was present. However, `stored_state` always holds at least a random value, so when `require_state` were `false` and if an OpenID provider did not relay the `state` value, authentication would halt with a "Invalid 'state' parameter" error. This commit updates it so that if `require_state` is set to `false`, the `state` parameter is never checked at all.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #122.