From 85c5e974f17305cb07bb5fe6afed319327f86a28 Mon Sep 17 00:00:00 2001
From: Tristan Smith <tsmith@palantir.com>
Date: Fri, 19 Nov 2021 14:55:46 -0800
Subject: [PATCH] Add 'session_state' to redirect query removal

AzureAD sends code, state, and session_state query parameters along with the redirect, which need to be scrubbed for this function to work.
---
 baseapp/auth/oauth2/handler.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/baseapp/auth/oauth2/handler.go b/baseapp/auth/oauth2/handler.go
index 335aa1c2..65e0ae4f 100644
--- a/baseapp/auth/oauth2/handler.go
+++ b/baseapp/auth/oauth2/handler.go
@@ -23,9 +23,10 @@ import (
 )
 
 const (
-	queryCode  = "code"
-	queryError = "error"
-	queryState = "state"
+	queryCode         = "code"
+	queryError        = "error"
+	queryState        = "state"
+	querySessionState = "session_state"
 )
 
 var (
@@ -190,6 +191,7 @@ func redirectURL(r *http.Request, forceTLS bool) string {
 	q := u.Query()
 	q.Del(queryCode)
 	q.Del(queryState)
+	q.Del(querySessionState)
 	u.RawQuery = q.Encode()
 
 	return u.String()