State ID check in Hybrid flow is not accurate
harjoben opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Cloud project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
The flow_hybrid.go has this check here for state where it assigns the value from the fosite.AuthorizeRequester if there is no state present in the response parameters.
if resp.GetParameters().Get("state") == "" {
resp.AddParameter("state", ar.GetState())
}
But the check will misbehave if there is empty string passed in as "state". In that scenario, response parameter will have "state" with two empty strings as values. This will result in the redirect uri having duplicate state keys.
The above if statement should be changed to
if !resp.GetParameters().Has("state") {
resp.AddParameter("state", ar.GetState())
}
Reproducing the bug
Pass in empty state in the authorize request
Relevant log output
The redirect uri will look something like:
ui/oidcclient/redirect#expires_in=7199&token_type=bearer&state=&state=&scope=openid%20profile&id_token=<id_token>&code=<code>&access_token=<access_token>Relevant configuration
No response
Version
v0.41.0
On which operating system are you observing this issue?
No response
In which environment are you deploying?
No response
Additional Context
No response
Nice find, PRs appreciated :)
