Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(oauth): support response_mode=form_post #1669

Merged
merged 5 commits into from
Apr 11, 2021
Merged

fix(oauth): support response_mode=form_post #1669

merged 5 commits into from
Apr 11, 2021

Conversation

balazsorban44
Copy link
Member

@balazsorban44 balazsorban44 commented Apr 7, 2021
edited
Loading

What:

Read state from req.body, when response_type=form_post is present.

Why:

Currently, if the user requiresresposne_mode=form_post for their provider (which is something we should consider as it is part of the OAuth spec: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html), our implementation will fail to execute the state and/or pkce verifications when protection: ["pkce", "state"] (or similar) is set.

How:

In the appropriate handler, we simply fall back to req.body, if req.query did not contain a value for state

Related: #1664 (it although some advanced cookie will be needed for this to work properly. Please see #1664 (comment))

@vercel
Copy link

vercel bot commented Apr 7, 2021
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/nextauthjs/next-auth/Eh754fScKyXw8ynJH998a5NUKxJA
✅ Preview: https://next-auth-git-feature-support-form-post-nextauthjs.vercel.app

@github-actions github-actions bot added the core Refers to `@auth/core` label Apr 7, 2021
@vercel vercel bot temporarily deployed to Preview April 11, 2021 22:17 Inactive
@balazsorban44 balazsorban44 merged commit 968903d into main Apr 11, 2021
@balazsorban44 balazsorban44 deleted the feature/support-form-post branch April 11, 2021 22:24
@github-actions
Copy link

🎉 This PR is included in version 3.14.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@balazsorban44 balazsorban44 mentioned this pull request Apr 11, 2021
Closed
@github-actions
Copy link

🎉 This PR is included in version 4.0.0-next.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

mnphpexpert added a commit to mnphpexpert/next-auth that referenced this pull request Sep 2, 2024
@mnphpexpert
fix(oauth): support response_mode=form_post (nextauthjs#1669)
8030b8e 
* chore: alias dev script to next

* feat(core): fallback to body when reading state

* refactor: set csrfToken on req.options implicitly

Ensures we do this similarly than
in other handlers like pkce, state, extendRes, callbackUrlHandler etc.

* chore: add code comment for debugging
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iaincollins iaincollins Awaiting requested review from iaincollins

Assignees
No one assigned
Labels
core Refers to `@auth/core`
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@balazsorban44