You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The flow_hybrid.go has this check here for state where it assigns the value from the fosite.AuthorizeRequester if there is no state present in the response parameters.
if resp.GetParameters().Get("state") == "" {
resp.AddParameter("state", ar.GetState())
}
But the check will misbehave if there is empty string passed in as "state". In that scenario, response parameter will have "state" with two empty strings as values. This will result in the redirect uri having duplicate state keys.
The above if statement should be changed to
if !resp.GetParameters().Has("state") {
resp.AddParameter("state", ar.GetState())
}
Reproducing the bug
Pass in empty state in the authorize request
Relevant log output
The redirect uri will look something like:
ui/oidcclient/redirect#expires_in=7199&token_type=bearer&state=&state=&scope=openid%20profile&id_token=<id_token>&code=<code>&access_token=<access_token>
Relevant configuration
No response
Version
v0.41.0
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered:
Preflight checklist
Describe the bug
The flow_hybrid.go has this check here for state where it assigns the value from the fosite.AuthorizeRequester if there is no state present in the response parameters.
But the check will misbehave if there is empty string passed in as "state". In that scenario, response parameter will have "state" with two empty strings as values. This will result in the redirect uri having duplicate state keys.
The above if statement should be changed to
Reproducing the bug
Pass in empty state in the authorize request
Relevant log output
Relevant configuration
No response
Version
v0.41.0
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: