fix: Add state parameter to OIDC authorization url

Closes #558
2025-07-24 15:49:46 +02:00 · 2023-12-09 17:06:45 +01:00 · 2023-12-09 17:06:45 +01:00 · ca6fb3b962
commit ca6fb3b962
parent 28c3f28e01
1 changed files with 42 additions and 24 deletions
--- a/client/src/sagas/login/services/login.js
+++ b/client/src/sagas/login/services/login.js
@ -32,15 +32,29 @@ export function* authenticate(data) {
 export function* authenticateUsingOidc() {
  const oidcConfig = yield select(selectors.selectOidcConfig);

+  const state = nanoid();
+  window.sessionStorage.setItem('oidc-state', state);
+
  const nonce = nanoid();
  window.sessionStorage.setItem('oidc-nonce', nonce);
-  window.location.href = `${oidcConfig.authorizationUrl}&nonce=${encodeURIComponent(nonce)}`;
+
+  let redirectUrl = `${oidcConfig.authorizationUrl}`;
+  redirectUrl += `&state=${encodeURIComponent(state)}`;
+  redirectUrl += `&nonce=${encodeURIComponent(nonce)}`;
+
+  window.location.href = redirectUrl;
 }

 export function* authenticateUsingOidcCallback() {
  // https://github.com/plankanban/planka/issues/511#issuecomment-1771385639
  const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search);

+  const state = window.sessionStorage.getItem('oidc-state');
+  window.sessionStorage.removeItem('oidc-state');
+
+  const nonce = window.sessionStorage.getItem('oidc-nonce');
+  window.sessionStorage.removeItem('oidc-nonce');
+
  yield put(replace(Paths.LOGIN));

  if (params.get('error') !== null) {
@ -54,7 +68,23 @@ export function* authenticateUsingOidcCallback() {
    return;
  }

-  const nonce = window.sessionStorage.getItem('oidc-nonce');
+  const code = params.get('code');
+  if (code === null) {
+    yield put(
+      actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
+    );
+    return;
+  }
+
+  if (params.get('state') !== state) {
+    yield put(
+      actions.authenticateUsingOidc.failure(
+        new Error('Unable to process OIDC response: state mismatch'),
+      ),
+    );
+    return;
+  }
+
  if (nonce === null) {
    yield put(
      actions.authenticateUsingOidc.failure(
@ -64,31 +94,19 @@ export function* authenticateUsingOidcCallback() {
    return;
  }

-  const code = params.get('code');
-  if (code === null) {
-    yield put(
-      actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
-    );
+  let accessToken;
+  try {
+    ({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
+      code,
+      nonce,
+    }));
+  } catch (error) {
+    yield put(actions.authenticateUsingOidc.failure(error));
    return;
  }

-  window.sessionStorage.removeItem('oidc-nonce');
-
-  if (code !== null) {
-    let accessToken;
-    try {
-      ({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
-        code,
-        nonce,
-      }));
-    } catch (error) {
-      yield put(actions.authenticateUsingOidc.failure(error));
-      return;
-    }
-
-    yield call(setAccessToken, accessToken);
-    yield put(actions.authenticateUsingOidc.success(accessToken));
-  }
+  yield call(setAccessToken, accessToken);
+  yield put(actions.authenticateUsingOidc.success(accessToken));
 }

 export function* clearAuthenticateError() {