Skip to content

Commit

Permalink
Return state as redirect query parameter on oauth implicit flow errors (
Browse files Browse the repository at this point in the history 
#199)
  • Loading branch information
@ioi-christianco @Tratcher
ioi-christianco authored and Tratcher committed Apr 30, 2018
1 parent b259478 commit e2b18ec
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 1 deletion.
6 changes: 6 additions & 0 deletions src/Microsoft.Owin.Security.OAuth/OAuthAuthorizationServerHandler.cs
View file
Expand Up @@ -779,6 +779,12 @@ private async Task InvokeTokenEndpointAsync()
{
location = WebUtilities.AddQueryString(location, Constants.Parameters.ErrorUri, errorUri);
}
// if a state parameter was provided, include it in the redirect location
IList<string> stateValues = clientContext.Request.Query.GetValues(Constants.Parameters.State);
if (stateValues != null && stateValues.Count == 1)
{
location = WebUtilities.AddQueryString(location, Constants.Parameters.State, stateValues[0]);
}
Response.Redirect(location);
// request is handled, does not pass on to application
return Task.FromResult(true);
Expand Down
22 changes: 21 additions & 1 deletion tests/Microsoft.Owin.Security.Tests/OAuth/OAuth2AuthorizationServerImplicitGrantTests.cs
View file
Expand Up @@ -72,6 +72,26 @@ public async Task StateShouldBePassedBack()
fragment.Get("state").ShouldBe("123");
}

[Fact]
public async Task StateMustBePassedBackOnError()
{
var server = new OAuth2TestServer();

OAuth2TestServer.Transaction transaction1 = await server.SendAsync("https://example.com/authorize?response_type=token&client_id=unauthorized&state=123&redirect_uri=" + Uri.EscapeDataString("https://gamma.com/return"));

NameValueCollection queryStringWithState = transaction1.ParseRedirectQueryString();
queryStringWithState.Get("access_token").ShouldBe(null);
queryStringWithState.Get("error").ShouldBe("unauthorized_client");
queryStringWithState.Get("state").ShouldBe("123");

OAuth2TestServer.Transaction transaction2 = await server.SendAsync("https://example.com/authorize?response_type=token&client_id=unauthorized&redirect_uri=" + Uri.EscapeDataString("https://gamma.com/return"));

NameValueCollection queryStringNoState = transaction2.ParseRedirectQueryString();
queryStringNoState.Get("access_token").ShouldBe(null);
queryStringNoState.Get("error").ShouldBe("unauthorized_client");
queryStringNoState.Get("state").ShouldBe(null);
}

[Fact]
public async Task AccessTokenMayBeUsed()
{
Expand Down Expand Up @@ -101,7 +121,7 @@ public async Task UnrecognizedParametersAreIgnored()
string userName = await GetUserName(server, fragment.Get("access_token"));
userName.ShouldBe("epsilon");
}

private Task SignInEpsilon(IOwinContext ctx)
{
ctx.Authentication.SignIn(new AuthenticationProperties(), CreateIdentity("epsilon"));
Expand Down
16 changes: 16 additions & 0 deletions tests/Microsoft.Owin.Security.Tests/OAuth/OAuth2TestServer.cs
View file
Expand Up @@ -61,6 +61,10 @@ public OAuth2TestServer(Action<OAuth2TestServer> configure = null)
{
ctx.Validated("https://gamma3.com/return");
}
else if (ctx.ClientId == "unauthorized")
{
ctx.Validated("https://gamma.com/return");
}
return Task.FromResult(0);
},
OnValidateClientAuthentication = ctx =>
Expand All @@ -84,6 +88,18 @@ public OAuth2TestServer(Action<OAuth2TestServer> configure = null)
}
}
return Task.FromResult(0);
},
OnValidateAuthorizeRequest = ctx =>
{
if (ctx.AuthorizeRequest.ClientId == "unauthorized")
{
ctx.SetError("unauthorized_client", "Unknown client", "https://owintestoauth.com/error/unknown_client");
}
else
{
ctx.Validated();
}
return Task.FromResult(0);
}
},
AuthorizationCodeProvider = new InMemorySingleUseReferenceProvider(),
Expand Down

0 comments on commit e2b18ec

Please sign in to comment.