omniauth / omniauth_openid_connect / 9714733179

98%

push

github

fix: make require_state skip verification of state (#181)

In https://github.com/omniauth/omniauth_openid_connect/pull/127,
`require_state` was introduced because according to
https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,
`state` is recommended but not required:

```
state
    RECOMMENDED. Opaque value used to maintain state between the
    request and the callback. Typically, Cross-Site Request Forgery
    (CSRF, XSRF) mitigation is done by cryptographically binding the
    value of this parameter with a browser cookie.
```

During review, the `require_state` parameter was modified to verify
`state` as long as `stored_state` was present. However, `stored_state`
always holds at least a random value, so when `require_state` were
`false` and if an OpenID provider did not relay the `state` value,
authentication would halt with a "Invalid 'state' parameter" error.

This commit updates it so that if `require_state` is set to `false`,
the `state` parameter is never checked at all.

1 of 1 new or added line in 1 file covered. (100.0%)

290 of 295 relevant lines covered (98.31%)

64.1 hits per line