state
RECOMMENDED. Opaque value used to maintain state between the
request and the callback. Typically, Cross-Site Request Forgery
(CSRF, XSRF) mitigation is done by cryptographically binding the
value of this parameter with a browser cookie.
During review, the require_state parameter was modified to verify state as long as stored_state was present. However, stored_state always holds at least a random value, so when require_state were false and if an OpenID provider did not relay the state value, authentication would halt with a "Invalid 'state' parameter" error.
This commit updates it so that if require_state is set to false, the state parameter is never checked at all.
In https://github.com/omniauth/omniauth_openid_connect/pull/127,
require_state
was introduced because according to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,state
is recommended but not required:During review, the
require_state
parameter was modified to verifystate
as long asstored_state
was present. However,stored_state
always holds at least a random value, so whenrequire_state
werefalse
and if an OpenID provider did not relay thestate
value, authentication would halt with a "Invalid 'state' parameter" error.This commit updates it so that if
require_state
is set tofalse
, thestate
parameter is never checked at all.Closes #174