state
RECOMMENDED. Opaque value used to maintain state between the
request and the callback. Typically, Cross-Site Request Forgery
(CSRF, XSRF) mitigation is done by cryptographically binding the
value of this parameter with a browser cookie.
During review, the require_state parameter was modified to verify state as long as stored_state was present. However, stored_state always holds at least a random value, so when require_state were false and if an OpenID provider did not relay the state value, authentication would halt with a "Invalid 'state' parameter" error.
This commit updates it so that if require_state is set to false, the state parameter is never checked at all.
In https://github.com/omniauth/omniauth_openid_connect/pull/127,
require_statewas introduced because according to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,stateis recommended but not required:During review, the
require_stateparameter was modified to verifystateas long asstored_statewas present. However,stored_statealways holds at least a random value, so whenrequire_statewerefalseand if an OpenID provider did not relay thestatevalue, authentication would halt with a "Invalid 'state' parameter" error.This commit updates it so that if
require_stateis set tofalse, thestateparameter is never checked at all.Closes #174