From 25b0d7f84614fe8a67f4c767375e605f0d2ccd65 Mon Sep 17 00:00:00 2001 From: tutman96 Date: Thu, 21 Nov 2019 10:21:00 -0500 Subject: [PATCH] Fix for ory/hydra#1642. Return state parameter in authorization error conditions --- authorize_request_handler.go | 7 +++++-- authorize_request_handler_test.go | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/authorize_request_handler.go b/authorize_request_handler.go index fa53f96a..92a09abf 100644 --- a/authorize_request_handler.go +++ b/authorize_request_handler.go @@ -226,6 +226,11 @@ func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth } request.Form = r.Form + + // Save state to the request to be returned in error conditions (https://github.com/ory/hydra/issues/1642) + state := request.Form.Get("state") + request.State = state + client, err := f.Store.GetClient(ctx, request.GetRequestForm().Get("client_id")) if err != nil { return request, errors.WithStack(ErrInvalidClient.WithHint("The requested OAuth 2.0 Client does not exist.").WithDebug(err.Error())) @@ -262,12 +267,10 @@ func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth // // https://tools.ietf.org/html/rfc6819#section-4.4.1.8 // The "state" parameter should not be guessable - state := request.Form.Get("state") if len(state) < MinParameterEntropy { // We're assuming that using less then 8 characters for the state can not be considered "unguessable" return request, errors.WithStack(ErrInvalidState.WithHintf(`Request parameter "state" must be at least be %d characters long to ensure sufficient entropy.`, MinParameterEntropy)) } - request.State = state return request, nil } diff --git a/authorize_request_handler_test.go b/authorize_request_handler_test.go index 4b2da6dc..c7775f8e 100644 --- a/authorize_request_handler_test.go +++ b/authorize_request_handler_test.go @@ -239,6 +239,8 @@ func TestNewAuthorizeRequest(t *testing.T) { ar, err := c.conf.NewAuthorizeRequest(context.Background(), c.r) if c.expectedError != nil { assert.EqualError(t, errors.Cause(err), c.expectedError.Error()) + // https://github.com/ory/hydra/issues/1642 + AssertObjectKeysEqual(t, &AuthorizeRequest{State: c.query.Get("state")}, ar, "State") } else { require.NoError(t, err) AssertObjectKeysEqual(t, c.expect, ar, "ResponseTypes", "RequestedAudience", "RequestedScope", "Client", "RedirectURI", "State")