AuthCode and Implicit grant don't return state parameter in error cases

[pmlt]

Hello,

I noticed a flaw in your implementation of AuthCode and Implicit grant. When you redirect back to the client URL with an error code and message, you do not pass back the "state" parameter that was passed to the authorization URL. RFC 6749 clearly states that you should do so in sections 4.1.2.1 and 4.2.2.1 (c.f. https://tools.ietf.org/html/rfc6749#section-4.1.2.1).

Not passing back the "state" parameter means that clients must eitheir implicitely trust your error messages (which can be dangerous) or flag your response as a possible CSRF attack (thus ignoring your error message).

Suggestion: Make the various constructors of OAuthServerException optionally accept a "state" parameter which is then appended to the redirect URI, and pass the appropriate value whenever the AuthCodeGrant and ImplicitGrant classes throw this exception.

[alexbilbie]

Hi @pmlt,

The state parameter is set in the RedirectResponse here https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L308-L330

I don't suppose you could create a test case for me please?

[pmlt]

Well it's very easy, just deny the permissions. Your highlight only runs if the authorization request is approved. If it is not approved, line 336 of the very same file creates an error response that doesn't include the state.

If you want, I can submit a PR to fix the issue, I think I have a pretty good idea of how to fix it.

[alexbilbie]

Okay sorry I understand the specific issue now. I will address this in the next patch update.

Thank you for spotting this!