panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

MIT License

1.83k stars 392 forks source link

fix: stop sending state on the authorisation code token grant #121

Closed davidgtonge closed 6 years ago

davidgtonge commented 6 years ago

This was added a long time ago as it was recommended by an early ‘mix-up mitigation’ draft. It is now no longer the recommended option as evidenced by the latest ‘oauth security topics’ BCP.

This fixes issue #120

NB - no tests were required to be changed

codecov[bot] commented 6 years ago

Codecov Report

Merging #121 into master will not change coverage. The diff coverage is n/a.

@@          Coverage Diff          @@
##           master   #121   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files          17     17           
  Lines         781    781           
=====================================
  Hits          781    781