From aebb6818b7db6ee665a72281fcd109f37cfbc5c1 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Thu, 1 Dec 2016 09:05:56 -0800 Subject: [PATCH] cmd/example-app: use a non-empty state Use a non-empty state in the example-app to ensure dex is properly preserving the state for the code flow. Updates #712 --- cmd/example-app/main.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/cmd/example-app/main.go b/cmd/example-app/main.go index 32728841..a188dccc 100644 --- a/cmd/example-app/main.go +++ b/cmd/example-app/main.go @@ -23,6 +23,8 @@ import ( "golang.org/x/oauth2" ) +const exampleAppState = "I wish to wash my irish wristwatch" + type app struct { clientID string clientSecret string @@ -241,9 +243,9 @@ func (a *app) handleLogin(w http.ResponseWriter, r *http.Request) { scopes = append(scopes, "openid", "profile", "email") if a.offlineAsScope { scopes = append(scopes, "offline_access") - authCodeURL = a.oauth2Config(scopes).AuthCodeURL("") + authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState) } else { - authCodeURL = a.oauth2Config(scopes).AuthCodeURL("", oauth2.AccessTypeOffline) + authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState, oauth2.AccessTypeOffline) } http.Redirect(w, r, authCodeURL, http.StatusSeeOther) } @@ -254,6 +256,11 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) { return } + if state := r.FormValue("state"); state != exampleAppState { + http.Error(w, fmt.Sprintf("expected state %q got %q", exampleAppState, state), http.StatusBadRequest) + return + } + code := r.FormValue("code") refresh := r.FormValue("refresh_token") var (