feat: test oidc state before token request #1456
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
oidcProvider.js
:state
value we generated along with the PKCE code challenge we sent and the associated code verifier.state
matches our last storedstate
. If it does, continue with a token request using the stored code verifier. If it does not, display an error and offer to restart the authorization flow.This might help in debugging esoteric issues as reported in #1440. The PKCE values can be found using DevTools or a JS console to view localStorage item
last-oidc
. Thepkce.codeChallenge
should be the URL encoded Base64 representation of the SHA256 digest ofpkce.codeVerifier
.In a Linux shell, the proper code challenge for a given
pkce.codeVerifier
can be calculated by invoking: