Added state param to oauth to make Okta happy (#9289)

Co-authored-by: rijkvanzanten <rijkvanzanten@me.com>
2026-04-25 03:00:53 -04:00 · 2021-11-01 19:04:32 +01:00
parent 366eb3e775
commit 179f06126e
2 changed files with 21 additions and 14 deletions
--- a/api/src/auth/drivers/oauth2.ts
+++ b/api/src/auth/drivers/oauth2.ts
@@ -55,10 +55,13 @@ export class OAuth2AuthDriver extends LocalAuthDriver {

 	generateAuthUrl(codeVerifier: string): string {
 		try {
+			const codeChallenge = generators.codeChallenge(codeVerifier);
 			return this.client.authorizationUrl({
 				scope: this.config.scope ?? 'email',
-				code_challenge: generators.codeChallenge(codeVerifier),
+				code_challenge: codeChallenge,
 				code_challenge_method: 'S256',
+				// Some providers require state even with PKCE
+				state: codeChallenge,
 				access_type: 'offline',
 			});
 		} catch (e) {
@@ -85,12 +88,11 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
 		let userInfo;

 		try {
-			tokenSet = await this.client.grant({
-				grant_type: 'authorization_code',
-				code: payload.code,
-				redirect_uri: this.redirectUrl,
-				code_verifier: payload.codeVerifier,
-			});
+			tokenSet = await this.client.oauthCallback(
+				this.redirectUrl,
+				{ code: payload.code, state: payload.state },
+				{ code_verifier: payload.codeVerifier, state: generators.codeChallenge(payload.codeVerifier) }
+			);
 			userInfo = await this.client.userinfo(tokenSet);
 		} catch (e) {
 			throw handleError(e);
@@ -234,13 +236,14 @@ export function createOAuth2AuthRouter(providerName: string): Router {
 			try {
 				res.clearCookie(`oauth2.${providerName}`);

-				if (!req.query.code) {
-					logger.warn(`Couldn't extract OAuth2 code from query: ${JSON.stringify(req.query)}`);
+				if (!req.query.code || !req.query.state) {
+					logger.warn(`Couldn't extract OAuth2 code or state from query: ${JSON.stringify(req.query)}`);
 				}

 				authResponse = await authenticationService.login(providerName, {
 					code: req.query.code,
 					codeVerifier: verifier,
+					state: req.query.state,
 				});
 			} catch (error: any) {
 				logger.warn(error);
--- a/api/src/auth/drivers/openid.ts
+++ b/api/src/auth/drivers/openid.ts
@@ -56,10 +56,13 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
 	async generateAuthUrl(codeVerifier: string): Promise<string> {
 		try {
 			const client = await this.client;
+			const codeChallenge = generators.codeChallenge(codeVerifier);
 			return client.authorizationUrl({
 				scope: this.config.scope ?? 'openid profile email',
-				code_challenge: generators.codeChallenge(codeVerifier),
+				code_challenge: codeChallenge,
 				code_challenge_method: 'S256',
+				// Some providers require state even with PKCE
+				state: codeChallenge,
 				access_type: 'offline',
 			});
 		} catch (e) {
@@ -89,8 +92,8 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
 			const client = await this.client;
 			tokenSet = await client.callback(
 				this.redirectUrl,
-				{ code: payload.code },
-				{ code_verifier: payload.codeVerifier }
+				{ code: payload.code, state: payload.state },
+				{ code_verifier: payload.codeVerifier, state: generators.codeChallenge(payload.codeVerifier) }
 			);
 			userInfo = await client.userinfo(tokenSet);
 		} catch (e) {
@@ -240,13 +243,14 @@ export function createOpenIDAuthRouter(providerName: string): Router {
 			try {
 				res.clearCookie(`openid.${providerName}`);

-				if (!req.query.code) {
-					logger.warn(`Couldn't extract OAuth2 code from query: ${JSON.stringify(req.query)}`);
+				if (!req.query.code || !req.query.state) {
+					logger.warn(`Couldn't extract OpenID code or state from query: ${JSON.stringify(req.query)}`);
 				}

 				authResponse = await authenticationService.login(providerName, {
 					code: req.query.code,
 					codeVerifier: verifier,
+					state: req.query.state,
 				});
 			} catch (error: any) {
 				logger.warn(error);