Make state encoding signatures consistent

oauthproxy.go

@@ -649,7 +649,7 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 	callbackRedirect := p.getOAuthRedirectURI(req)
 	loginURL := p.provider.GetLoginURL(
 		callbackRedirect,
-		encodeState(csrf, appRedirect),
+		encodeState(csrf.HashOAuthState(), appRedirect),
 		csrf.HashOIDCNonce(),
 	)
 
@@ -1109,8 +1109,8 @@ func extractAllowedGroups(req *http.Request) map[string]struct{} {
 
 // encodedState builds the OAuth state param out of our nonce and
 // original application redirect
-func encodeState(csrf cookies.CSRF, redirect string) string {
-	return fmt.Sprintf("%v:%v", csrf.HashOAuthState(), redirect)
+func encodeState(nonce string, redirect string) string {
+	return fmt.Sprintf("%v:%v", nonce, redirect)
 }
 
 // decodeState splits the reflected OAuth state response back into

oauthproxy_test.go

@@ -714,7 +714,10 @@ func (patTest *PassAccessTokenTest) getCallbackEndpoint() (httpCode int, cookie
 
 	req, err := http.NewRequest(
 		http.MethodGet,
-		fmt.Sprintf("/oauth2/callback?code=callback_code&state=%s", encodeState(csrf, "%2F")),
+		fmt.Sprintf(
+			"/oauth2/callback?code=callback_code&state=%s",
+			encodeState(csrf.HashOAuthState(), "%2F"),
+		),
 		strings.NewReader(""),
 	)
 	if err != nil {

pkg/cookies/cookies.go

@@ -36,7 +36,7 @@ func MakeCookieFromOptions(req *http.Request, name string, value string, opts *o
 		SameSite: ParseSameSite(opts.SameSite),
 	}
 
-	WarnInvalidDomain(c, req)
+	warnInvalidDomain(c, req)
 
 	return c
 }
@@ -69,9 +69,9 @@ func ParseSameSite(v string) http.SameSite {
 	}
 }
 
-// WarnInvalidDomain logs a warning if the request host and cookie domain are
+// warnInvalidDomain logs a warning if the request host and cookie domain are
 // mismatched.
-func WarnInvalidDomain(c *http.Cookie, req *http.Request) {
+func warnInvalidDomain(c *http.Cookie, req *http.Request) {
 	if c.Domain == "" {
 		return
 	}