Support overriding state variable

LakshanKarunathilake · LakshanKarunathilake · commit eac4974a9308 · 2022-02-23T15:09:18.000+05:30
diff --git a/openid_connect.js b/openid_connect.js
@@ -259,7 +259,7 @@ function getAuthZArgs(r) {
 
         authZArgs += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id;
     } else {
-        authZArgs += "&state=0";
+        authZArgs += "&state=" + r.variables.state;
     }
     return authZArgs;
 }
@@ -272,4 +272,4 @@ function idpClientAuth(r) {
     } else {
         return "code=" + r.variables.arg_code + "&client_secret=" + r.variables.oidc_client_secret;
     }   
-}
+}
diff --git a/openid_connect.server_conf b/openid_connect.server_conf
@@ -39,7 +39,7 @@
         internal;
         proxy_ssl_server_name on; # For SNI to the IdP
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
-        proxy_set_body        "grant_type=authorization_code&client_id=$oidc_client&$args&redirect_uri=$redirect_base$redir_location";
+        proxy_set_body        "grant_type=authorization_code&client_id=$oidc_client&state=$state&$args&redirect_uri=$redirect_base$redir_location";
         proxy_method          POST;
         proxy_pass            $oidc_token_endpoint;
    }
@@ -51,7 +51,7 @@
         internal;
         proxy_ssl_server_name on; # For SNI to the IdP
         proxy_set_header      Content-Type "application/x-www-form-urlencoded";
-        proxy_set_body        "grant_type=refresh_token&refresh_token=$arg_token&client_id=$oidc_client&client_secret=$oidc_client_secret";
+        proxy_set_body        "grant_type=refresh_token&refresh_token=$arg_token&client_id=$oidc_client&state=$state&client_secret=$oidc_client_secret";
         proxy_method          POST;
         proxy_pass            $oidc_token_endpoint;
     }
diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
@@ -43,6 +43,11 @@ map $host $oidc_hmac_key {
     default "ChangeMe";
 }
 
+map $host $state {
+    # Unable to use this state if PKCE is enabled
+    default 0;
+}
+
 map $proto $oidc_cookie_flags {
     http  "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
     https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation

Original file line number	Diff line number	Diff line change
`@@ -259,7 +259,7 @@ function getAuthZArgs(r) {`
`259`	`259`
`260`	`260`	`authZArgs += "&code_challenge_method=S256&code_challenge=" + pkce_code_challenge + "&state=" + r.variables.pkce_id;`
`261`	`261`	`} else {`
`262`		`- authZArgs += "&state=0";`
	`262`	`+ authZArgs += "&state=" + r.variables.state;`
`263`	`263`	`}`
`264`	`264`	`return authZArgs;`
`265`	`265`	`}`
`@@ -272,4 +272,4 @@ function idpClientAuth(r) {`
`272`	`272`	`} else {`
`273`	`273`	`return "code=" + r.variables.arg_code + "&client_secret=" + r.variables.oidc_client_secret;`
`274`	`274`	`}`
`275`		`-}`
	`275`	`+}`