From 4c82e8843066ed44122620c0bee95608d31181fb Mon Sep 17 00:00:00 2001 From: Andy Gomez Date: Wed, 26 Oct 2022 12:40:13 -0400 Subject: [PATCH] Add state parameter to the authorization code request Some OIDC providers such as Okta require this parameter to be set in the request for an authorization code --- keystoneauth_oidc/plugin.py | 5 ++++- keystoneauth_oidc/tests/unit/test_oidc.py | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/keystoneauth_oidc/plugin.py b/keystoneauth_oidc/plugin.py index 844a6a4..40de005 100644 --- a/keystoneauth_oidc/plugin.py +++ b/keystoneauth_oidc/plugin.py @@ -18,6 +18,7 @@ import pkce import socket import webbrowser +import uuid from keystoneauth1 import _utils as utils from keystoneauth1 import access @@ -164,6 +165,7 @@ def __init__(self, auth_url, identity_provider, protocol, client_id, self.redirect_uri = "http://%s:%s" % (self.redirect_host, self.redirect_port) self.code_verifier = None self.code_challenge = None + self.state = uuid.uuid4().hex if client_secret in ['', None]: self.code_verifier, self.code_challenge = pkce.generate_pkce_pair() @@ -201,7 +203,8 @@ def _get_authorization_code(self, session): payload = {"client_id": self.client_id, "response_type": "code", "scope": self.scope, - "redirect_uri": self.redirect_uri} + "redirect_uri": self.redirect_uri, + "state": self.state} if self.code_challenge is not None: payload.update({ diff --git a/keystoneauth_oidc/tests/unit/test_oidc.py b/keystoneauth_oidc/tests/unit/test_oidc.py index f4cf918..9dc2667 100644 --- a/keystoneauth_oidc/tests/unit/test_oidc.py +++ b/keystoneauth_oidc/tests/unit/test_oidc.py @@ -118,7 +118,8 @@ def test__get_authorization_code(self, payload = {"client_id": self.CLIENT_ID, "response_type": "code", "scope": self.plugin.scope, - "redirect_uri": self.plugin.redirect_uri} + "redirect_uri": self.plugin.redirect_uri, + "state": self.plugin.state} url = "%s?%s" % (self.AUTHORIZATION_ENDPOINT, urllib.parse.urlencode(payload))