oauth2: state parameter is missing when response_type=id_token - closes

#96
ory · Sep 21, 2016 · 4db1422 · 4db1422
1 parent ddd8d03
commit 4db1422
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/handler/openid/flow_implicit.go b/handler/openid/flow_implicit.go
@@ -60,6 +60,8 @@ func (c *OpenIDConnectImplicitHandler) HandleAuthorizeEndpointRequest(ctx contex
 		}
 
 		claims.AccessTokenHash = hash[:c.RS256JWTStrategy.GetSigningMethodLength()/2]
+	} else {
+		resp.AddFragment("state", ar.GetState())
 	}
 
 	if err := c.IssueImplicitIDToken(ctx, req, ar, resp); err != nil {

diff --git a/handler/openid/flow_implicit_test.go b/handler/openid/flow_implicit_test.go
@@ -48,6 +48,7 @@ func TestImplicit_HandleAuthorizeEndpointRequest(t *testing.T) {
 			description: "should not do anything because request requirements are not met",
 			setup: func() {
 				areq.ResponseTypes = fosite.Arguments{"id_token"}
+				areq.State = "foostate"
 			},
 		},
 		{
@@ -121,6 +122,7 @@ func TestImplicit_HandleAuthorizeEndpointRequest(t *testing.T) {
 			},
 			check: func() {
 				assert.NotEmpty(t, aresp.GetFragment().Get("id_token"))
+				assert.NotEmpty(t, aresp.GetFragment().Get("state"))
 				assert.Empty(t, aresp.GetFragment().Get("access_token"))
 			},
 		},
@@ -131,6 +133,7 @@ func TestImplicit_HandleAuthorizeEndpointRequest(t *testing.T) {
 			},
 			check: func() {
 				assert.NotEmpty(t, aresp.GetFragment().Get("id_token"))
+				assert.NotEmpty(t, aresp.GetFragment().Get("state"))
 				assert.NotEmpty(t, aresp.GetFragment().Get("access_token"))
 			},
 		},
@@ -142,6 +145,7 @@ func TestImplicit_HandleAuthorizeEndpointRequest(t *testing.T) {
 			},
 			check: func() {
 				assert.NotEmpty(t, aresp.GetFragment().Get("id_token"))
+				assert.NotEmpty(t, aresp.GetFragment().Get("state"))
 				assert.NotEmpty(t, aresp.GetFragment().Get("access_token"))
 			},
 		},