'state' is optional

2026-03-21 08:39:40 +01:00 · 2023-10-11 16:17:47 +02:00
parent d7d2b94dea
commit 48ab035574
4 changed files with 41 additions and 8 deletions
--- a/src/main/java/com/ysoft/geecon/OAuthResource.java
+++ b/src/main/java/com/ysoft/geecon/OAuthResource.java
@@ -10,7 +10,6 @@ import com.ysoft.geecon.repo.SessionsRepo;
 import com.ysoft.geecon.repo.UsersRepo;
 import io.quarkus.qute.CheckedTemplate;
 import io.quarkus.qute.TemplateInstance;
-import io.quarkus.runtime.util.StringUtil;
 import io.quarkus.security.webauthn.WebAuthnLoginResponse;
 import io.quarkus.security.webauthn.WebAuthnRegisterResponse;
 import io.quarkus.security.webauthn.WebAuthnSecurity;
@@ -153,9 +152,11 @@ public class OAuthResource {
            var responseTypes = session.params().getResponseTypes();

            UriBuilder uri = UriBuilder.fromUri(redirectUri)
-                    .fragment("")
-                    .queryParam("state", session.params().getState());
+                    .fragment("");

+            if (StringUtils.isNotBlank(session.params().getState())) {
+                uri.queryParam("state", session.params().getState());
+            }
            if (responseTypes.contains(AuthParams.ResponseType.code)) {
                uri.queryParam("code", sessionsRepo.generateAuthorizationCode(sessionId));
            }
@@ -263,9 +264,10 @@ public class OAuthResource {
            // must NOT redirect to invalid redirect URI
            throw new OAuthUserVisibleException(ErrorResponse.Error.invalid_request, "Invalid redirect URI");
        }
-        if (StringUtil.isNullOrEmpty(params.getState())) {
-            throw new OAuthRedirectException(params, ErrorResponse.Error.invalid_request, "Missing state");
-        }
+        // state is optional
+//        if (StringUtil.isNullOrEmpty(params.getState())) {
+//            throw new OAuthRedirectException(params, ErrorResponse.Error.invalid_request, "Missing state");
+//        }
        if (!params.validateResponseType()) {
            throw new OAuthRedirectException(params, ErrorResponse.Error.unsupported_response_type,
                    "Unsupported response type");
--- a/src/main/java/com/ysoft/geecon/error/OAuthRedirectException.java
+++ b/src/main/java/com/ysoft/geecon/error/OAuthRedirectException.java
@@ -3,6 +3,7 @@ package com.ysoft.geecon.error;
 import com.ysoft.geecon.dto.AuthParams;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriBuilder;
+import org.apache.commons.lang3.StringUtils;

 public class OAuthRedirectException extends OAuthApiException {
    private final AuthParams authParams;
@@ -19,9 +20,11 @@ public class OAuthRedirectException extends OAuthApiException {
    public Response getResponse() {
        UriBuilder uri = UriBuilder.fromUri(authParams.getRedirectUri())
                .fragment("")
-                .queryParam("state", authParams.getState())
                .queryParam("error", response.error())
                .queryParam("error_description", response.description());
+        if (StringUtils.isNotBlank(authParams.getState())) {
+            uri.queryParam("state", authParams.getState());
+        }
        return Response.seeOther(uri.build()).build();
    }
 }