github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Improve state handling in handleAuthorizationCodeResponse 

Fail fast when there is no state in session, e.g. because the session
cookie was removed.

Resolves #949
pull/952/merge
Mark Janssen 9 years ago committed by Justin Richer
parent
6d2b73a7ef
commit
4f9ea0b474
1 changed files with 3 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java

8
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
Unescape View File

@ -286,11 +286,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
// check for state, if it doesn't match we bail early
String storedState = getStoredState(session);
if (!Strings.isNullOrEmpty(storedState)) {
String state = request.getParameter("state");
if (!storedState.equals(state)) {
throw new AuthenticationServiceException("State parameter mismatch on return. Expected " + storedState + " got " + state);
}
String requestState = request.getParameter("state");
if (storedState == null || !storedState.equals(requestState)) {
throw new AuthenticationServiceException("State parameter mismatch on return. Expected " + storedState + " got " + requestState);
}
// look up the issuer that we set out to talk to

Write Preview
Loading…
Cancel
Save