From 4f9ea0b474ae481fa20365744841a4c0db0c9a05 Mon Sep 17 00:00:00 2001
From: Mark Janssen <mark@praseodym.net>
Date: Sun, 25 Oct 2015 19:17:58 +0100
Subject: [PATCH] Improve state handling in handleAuthorizationCodeResponse

Fail fast when there is no state in session, e.g. because the session
cookie was removed.

Resolves #949
---
 .../openid/connect/client/OIDCAuthenticationFilter.java   | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index ce0a10920..dbf0ab50f 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -286,11 +286,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 
 		// check for state, if it doesn't match we bail early
 		String storedState = getStoredState(session);
-		if (!Strings.isNullOrEmpty(storedState)) {
-			String state = request.getParameter("state");
-			if (!storedState.equals(state)) {
-				throw new AuthenticationServiceException("State parameter mismatch on return. Expected " + storedState + " got " + state);
-			}
+		String requestState = request.getParameter("state");
+		if (storedState == null || !storedState.equals(requestState)) {
+			throw new AuthenticationServiceException("State parameter mismatch on return. Expected " + storedState + " got " + requestState);
 		}
 
 		// look up the issuer that we set out to talk to