Plugin fails to work with latest defaults from AWS

[perchrh]

This pull request adds support for no state parameter received from AWS. Before the change, the plugin failed to provide an access token. After the change, the access token is provided from the plugin as expected.

Details: The "state" parameter is not sent as part of the request received from the Cognito Hosted UI to the AWS_COGNITO_REDIRECT_URL with the current AWS defaults. Also, I could find no setting that enabled the "state" query parameter. It looks unnecessary.

[akcode47]

This doesn't seem to be the solution because if the state is not present in the response from Cognito it will raise the error since the conditions are met.

Did you mean "if state and expected_state != expected_state:" therein invalidating the need for state? Still odd AWS is not returning it.

[perchrh]

Yes, that is what I mean, and the code in your comment is identical to the code in the pull request, ref. https://github.com/cgauge/Flask-AWSCognito/pull/6/commits/74e988446a7c2e2424b493ea8631dca3e571d51a line 82 I could find no information from AWS on why the state query parameter is not included. As it works regardless, my expectation is that AWS removed it at some point while keeping the behavior for old user pools.

[m4g005]

I think this change will make the tool less secure. If you're trying to test your endpoint by launching the hosted UI, just generate the state key from the command line, and add it to the redirect_url parameter the hosted UI is using..