Skip to content

Commit

Permalink
Add 'session_state' to redirect query removal
Browse files Browse the repository at this point in the history 
AzureAD sends code, state, and session_state query parameters along with the redirect, which need to be scrubbed for this function to work.
  • Loading branch information
@dreamlibrarian
dreamlibrarian committed Nov 19, 2021
1 parent d48a1b1 commit 85c5e97
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions baseapp/auth/oauth2/handler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,10 @@ import (
)

const (
queryCode = "code"
queryError = "error"
queryState = "state"
queryCode = "code"
queryError = "error"
queryState = "state"
querySessionState = "session_state"
)

var (
Expand Down Expand Up @@ -190,6 +191,7 @@ func redirectURL(r *http.Request, forceTLS bool) string {
q := u.Query()
q.Del(queryCode)
q.Del(queryState)
q.Del(querySessionState)
u.RawQuery = q.Encode()

return u.String()
Expand Down

0 comments on commit 85c5e97

Please sign in to comment.