Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getting the state parameter back #74

Open
daleif opened this issue Apr 11, 2023 · 1 comment
Open

Getting the state parameter back #74

daleif opened this issue Apr 11, 2023 · 1 comment

Comments

@daleif
Copy link
Contributor

daleif commented Apr 11, 2023

We can specify the state variable for example in oauth2.auth_url. But it is not obvious to be how we get it back.

Looking into the code behind oauth2.get_token_p we can see that the state variable is picked up when there is a incoming code request. And it is passed on to the POST call to the token_url. But the state is not included in the POST response (at least not in the tests I've made so far).

How exactly are we suppose to get the specific state value back again?

@tomascohen
Copy link

tomascohen commented May 10, 2023

This is a bit specific to my project, but what I did is this, right before the call to get_token_p:

    # Determine if it is a callback request, or the initial
    my $is_callback = $c->param('error_description') || $c->param('error') || $c->param('code');

    my $state;

    if ($is_callback) {
        # callback, check CSRF token
        # FIXME: Optional?
        $state = $c->param('state');
        # check here
    }
    else {
        # initial request, generate CSRF token
        $state = Koha::Token->new->generate_csrf( { session_id => $c->req->cookie('CGISESSID')->value } );
    }

I based the $is_callback calculation on what I found in _get_token_p. Then, I do the usual

return $c->oauth2->get_token_p( $provider => { ( !$is_callback ? ( state => $state ) : () ), redirect_uri => ...

My feeling is we should add a couple function reference parameters to get_token_p:

  • state_generator
  • state_validator

that way it will be cleaner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants