core/oauth2: don't set state in responses if not supplied

goauthentik · May 3, 2024 · be46401 · be46401
1 parent 49cf10e
commit be46401
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py
@@ -88,7 +88,7 @@ class OAuthAuthorizationParams:
     response_type: str
     response_mode: str | None
     scope: set[str]
-    state: str
+    state: str | None
     nonce: str | None
     prompt: set[str]
     grant_type: str
@@ -115,7 +115,6 @@ def from_request(request: HttpRequest, github_compat=False) -> "OAuthAuthorizati
         # Because in this endpoint we handle both GET
         # and POST request.
         query_dict = request.POST if request.method == "POST" else request.GET
-        state = query_dict.get("state")
         redirect_uri = query_dict.get("redirect_uri", "")
 
         response_type = query_dict.get("response_type", "")
@@ -132,7 +131,7 @@ def from_request(request: HttpRequest, github_compat=False) -> "OAuthAuthorizati
             response_mode=response_mode,
             grant_type="",
             scope=set(query_dict.get("scope", "").split()),
-            state=state,
+            state=query_dict.get("state"),
             nonce=query_dict.get("nonce"),
             prompt=ALLOWED_PROMPT_PARAMS.intersection(set(query_dict.get("prompt", "").split())),
             request=query_dict.get("request", None),
@@ -558,7 +557,8 @@ def create_response_uri(self) -> str:
             if self.params.response_mode == ResponseMode.QUERY:
                 query_params = parse_qs(uri.query)
                 query_params["code"] = code.code
-                query_params["state"] = [str(self.params.state) if self.params.state else ""]
+                if self.params.state != None:
+                    query_params["state"] = str(self.params.state)
 
                 uri = uri._replace(query=urlencode(query_params, doseq=True))
                 return urlunsplit(uri)
@@ -567,7 +567,8 @@ def create_response_uri(self) -> str:
                 query_fragment = {}
                 if self.params.grant_type in [GrantTypes.AUTHORIZATION_CODE]:
                     query_fragment["code"] = code.code
-                    query_fragment["state"] = [str(self.params.state) if self.params.state else ""]
+                    if self.params.state != None:
+                        query_fragment["state"] = str(self.params.state)
                 else:
                     query_fragment = self.create_implicit_response(code)