Thanks to visit codestin.com
Credit goes to github.com

Skip to content

OIDC id_token response should not contain state #652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JonathanHuot opened this issue Feb 19, 2019 · 1 comment
Closed

OIDC id_token response should not contain state #652

JonathanHuot opened this issue Feb 19, 2019 · 1 comment
Assignees
@JonathanHuot
Labels
Bug OAuth2-Provider This impact the provider part of OAuth2 OIDC OpenID Connect
Milestone
3.0.2

Comments

@JonathanHuot
Copy link
Member

JonathanHuot commented Feb 19, 2019
edited
Loading

Describe the bug

When requesting an id_token with the authorization code flow, the TOKEN endpoint returns a state, but state is only a response's parameter for the AUTHORIZE endpoint.

How to reproduce

  • Implement OIDC support in oauthlib for authorization_code.
  • Send a valid /authorize request with a state
  • Send a valid /token request, and see state=None in the response.

Expected behavior

We should have the state only in the /authorize response (e.g. for code or implicit's response).

Additional context

  • Are you using OAuth1, OAuth2 or OIDC?
    OIDC

  • Are you writing client or server side code?
    Server side
@JonathanHuot JonathanHuot added Bug OIDC OpenID Connect labels Feb 19, 2019
@JonathanHuot JonathanHuot added this to the 3.0.2 milestone Feb 19, 2019
@JonathanHuot JonathanHuot self-assigned this Feb 19, 2019
@JonathanHuot
Copy link
Member Author

The same bug exists for OAuth2 but is slightly different. The response of grant_type=authorization_code&state=foobar contains state=foobar. However, we don't have the field if the request doesn't contain it, it's why nobody already noticed it.

It is like this because the same code is run for implicit and for authorization_code. This should be fixed.

@JonathanHuot JonathanHuot added the OAuth2-Provider This impact the provider part of OAuth2 label Feb 20, 2019
@JonathanHuot JonathanHuot mentioned this issue Feb 20, 2019
Merged
@JonathanHuot JonathanHuot mentioned this issue Jul 4, 2019
Merged
This was referenced Mar 12, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonathanHuot JonathanHuot

Labels
Bug OAuth2-Provider This impact the provider part of OAuth2 OIDC OpenID Connect
Projects
None yet
Milestone
3.0.2
Development

No branches or pull requests
1 participant
@JonathanHuot