Closed voidz0r closed 1 year ago
confirmed!
the state SHOULD be there and the redirect_uri MUST be the one compliant to the requesting RP metadata. Would you like to propose a PR for that to resolve this issue?
anyway, thank you for this issue, it's very relevant for the project
There's an open redirect vulnerability for the
oidc_provider_not_consent
view of theConsentPageView
class.The HttpResponseRedirect, as stated from the documentation, accepts a fully qualified URL and the view does not validate the input URL nor the state.
https://github.com/italia/spid-cie-oidc-django/blob/45c4241e62db78e9a8d8e50a975b49709025c16b/spid_cie_oidc/provider/views/consent_page_view.py#L108