Skip to content

Commit

Permalink
Merge pull request #10984 from KorvinSzanto/feature/state-param-in-ex…
Browse files Browse the repository at this point in the history
…ternal-auth

Add state parameter to external concrete authentication service
  • Loading branch information
aembler authored and KorvinSzanto committed Oct 13, 2022
1 parent 19827a2 commit e9131da
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -106,4 +106,12 @@ protected function getAuthorizationMethod()
{
return self::AUTHORIZATION_METHOD_HEADER_BEARER;
}

/**
* Always send through and verify "state" parameter
*/
public function needsStateParameterInAuthUrl(): bool
{
return true;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
use OAuth\Common\Http\Exception\TokenResponseException;
use OAuth\OAuth2\Service\AbstractService;
use Concrete\Core\User\User;
use OAuth\OAuth2\Service\Exception\InvalidAuthorizationStateException;

abstract class GenericOauth2TypeController extends GenericOauthTypeController
{
Expand All @@ -33,12 +34,23 @@ public function handle_authentication_callback()
}

try {
$service = $this->getService();
$code = \Request::getInstance()->get('code');
$token = $this->getService()->requestAccessToken($code);
$state = \Request::getInstance()->get('state') ?: null;

// If state is required update this variable to be never null
if ($service->needsStateParameterInAuthUrl()) {
$state = $state ?: '';
}

$token = $service->requestAccessToken($code, $state);
$this->setToken($token);
} catch (TokenResponseException $e) {
$this->showError(t('Failed authentication: %s', $e->getMessage()));
exit;
} catch (InvalidAuthorizationStateException $e) {
$this->showError(t('Invalid state token provided, please try again.'));
exit;
}

if ($token) {
Expand Down Expand Up @@ -81,11 +93,22 @@ public function handle_attach_callback()
}

try {
$service = $this->getService();
$code = \Request::getInstance()->get('code');
$token = $this->getService()->requestAccessToken($code);
$state = \Request::getInstance()->get('state') ?: null;

// If state is required update this variable to be never null
if ($service->needsStateParameterInAuthUrl()) {
$state = $state ?: '';
}

$token = $service->requestAccessToken($code, $state);
} catch (TokenResponseException $e) {
$this->showError(t('Failed authentication: %s', $e->getMessage()));
exit;
} catch (InvalidAuthorizationStateException $e) {
$this->showError(t('Invalid state token provided, please try again.'));
exit;
}

if ($token) {
Expand Down

0 comments on commit e9131da

Please sign in to comment.