Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add send_state parameter to disable sending of state #182

Merged
merged 2 commits into from
Jul 3, 2024

Conversation

stanhu
Copy link
Contributor

@stanhu stanhu commented Jul 3, 2024

This reverts #181 and adds a send_state parameter instead to address #174.

According to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,
state is recommended but not required:

state
    RECOMMENDED. Opaque value used to maintain state between the
    request and the callback. Typically, Cross-Site Request Forgery
    (CSRF, XSRF) mitigation is done by cryptographically binding the
    value of this parameter with a browser cookie.

In #181 we attempted to make require_state skip the state verification if it were true, but this was reverted for two reasons:

  1. If identity providers make direct requests to the callback phase with a valid token, no state is passed in the request. If require_state were true, this change fails the request and breaks existing flows.

  2. If state isn't sent in the first place, it should not be verified.

send_state will now disable the sending of a state in the authorize phase.

@stanhu stanhu force-pushed the sh-introduce-send-state-option branch from 8219089 to a090124 Compare July 3, 2024 05:41
README.md Outdated Show resolved Hide resolved
This reverts #181 and adds a `send_state` parameter instead to address #174.

According to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,
`state` is recommended but not required:

```
state
    RECOMMENDED. Opaque value used to maintain state between the
    request and the callback. Typically, Cross-Site Request Forgery
    (CSRF, XSRF) mitigation is done by cryptographically binding the
    value of this parameter with a browser cookie.
```

In #181 we
attempted to make `require_state` skip the `state` verification if
it were `true`, but this was reverted for two reasons:

1. If identity providers make direct requests to the callback phase
with a valid token, no `state` is passed in the request. If
`require_state` were `true`, this change fails the request and breaks
existing flows.

2. If `state` isn't sent in the first place, it should not be
verified.

`send_state` will now disable the sending of a `state` in the
authorize phase.
@stanhu stanhu force-pushed the sh-introduce-send-state-option branch from a090124 to 1e70c98 Compare July 3, 2024 05:49
@stanhu stanhu merged commit 02839d7 into master Jul 3, 2024
13 checks passed
@stanhu stanhu deleted the sh-introduce-send-state-option branch July 3, 2024 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants