4
98%
master: 98%

Ran 03 Jul 2024 01:30PM UTC

Files 5

Run time 0s

Badge

Embed ▾

Committed 03 Jul 2024 01:27PM UTC coverage: 98.328% (+0.02%) from 98.305%

Job # 9778780334.4

Build Type

push

github

Committed by

stanhu

Commit Message

feat: Add `send_state` parameter to disable sending of state

This reverts #181 and adds a `send_state` parameter instead to address #174.

According to https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1,
`state` is recommended but not required:

```
state
    RECOMMENDED. Opaque value used to maintain state between the
    request and the callback. Typically, Cross-Site Request Forgery
    (CSRF, XSRF) mitigation is done by cryptographically binding the
    value of this parameter with a browser cookie.
```

In https://github.com/omniauth/omniauth_openid_connect/pull/181 we
attempted to make `require_state` skip the `state` verification if
it were `true`, but this was reverted for two reasons:

1. If identity providers make direct requests to the callback phase
with a valid token, no `state` is passed in the request. If
`require_state` were `true`, this change fails the request and breaks
existing flows.

2. If `state` isn't sent in the first place, it should not be
verified.

`send_state` will now disable the sending of a `state` in the
authorize phase.

Run Details

294 of 299 relevant lines covered (98.33%)

13.04 hits per line

omniauth / omniauth_openid_connect / 9778780334 / 4
98%
master: 98%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job ruby-3.3 - 9778780334.4

omniauth / omniauth_openid_connect / 9778780334 / 4 98% master: 98%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job ruby-3.3 - 9778780334.4

omniauth / omniauth_openid_connect / 9778780334 / 4
98%
master: 98%

README BADGES
x