diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index c660f9c58dc0..f4bab2e947b0 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -88,7 +88,7 @@ class OAuthAuthorizationParams: response_type: str response_mode: str | None scope: set[str] - state: str + state: str | None nonce: str | None prompt: set[str] grant_type: str @@ -115,7 +115,6 @@ def from_request(request: HttpRequest, github_compat=False) -> "OAuthAuthorizati # Because in this endpoint we handle both GET # and POST request. query_dict = request.POST if request.method == "POST" else request.GET - state = query_dict.get("state") redirect_uri = query_dict.get("redirect_uri", "") response_type = query_dict.get("response_type", "") @@ -132,7 +131,7 @@ def from_request(request: HttpRequest, github_compat=False) -> "OAuthAuthorizati response_mode=response_mode, grant_type="", scope=set(query_dict.get("scope", "").split()), - state=state, + state=query_dict.get("state"), nonce=query_dict.get("nonce"), prompt=ALLOWED_PROMPT_PARAMS.intersection(set(query_dict.get("prompt", "").split())), request=query_dict.get("request", None), @@ -558,7 +557,8 @@ def create_response_uri(self) -> str: if self.params.response_mode == ResponseMode.QUERY: query_params = parse_qs(uri.query) query_params["code"] = code.code - query_params["state"] = [str(self.params.state) if self.params.state else ""] + if self.params.state != None: + query_params["state"] = str(self.params.state) uri = uri._replace(query=urlencode(query_params, doseq=True)) return urlunsplit(uri) @@ -567,7 +567,8 @@ def create_response_uri(self) -> str: query_fragment = {} if self.params.grant_type in [GrantTypes.AUTHORIZATION_CODE]: query_fragment["code"] = code.code - query_fragment["state"] = [str(self.params.state) if self.params.state else ""] + if self.params.state != None: + query_fragment["state"] = str(self.params.state) else: query_fragment = self.create_implicit_response(code)