cmd/example-app: use a non-empty state

Use a non-empty state in the example-app to ensure dex is properly
preserving the state for the code flow.

Updates #712
This commit is contained in:
Eric Chiang 2016-12-01 09:05:56 -08:00
parent 9d9ad4a5b3
commit aebb6818b7

View file

@ -23,6 +23,8 @@ import (
"golang.org/x/oauth2" "golang.org/x/oauth2"
) )
const exampleAppState = "I wish to wash my irish wristwatch"
type app struct { type app struct {
clientID string clientID string
clientSecret string clientSecret string
@ -241,9 +243,9 @@ func (a *app) handleLogin(w http.ResponseWriter, r *http.Request) {
scopes = append(scopes, "openid", "profile", "email") scopes = append(scopes, "openid", "profile", "email")
if a.offlineAsScope { if a.offlineAsScope {
scopes = append(scopes, "offline_access") scopes = append(scopes, "offline_access")
authCodeURL = a.oauth2Config(scopes).AuthCodeURL("") authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState)
} else { } else {
authCodeURL = a.oauth2Config(scopes).AuthCodeURL("", oauth2.AccessTypeOffline) authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState, oauth2.AccessTypeOffline)
} }
http.Redirect(w, r, authCodeURL, http.StatusSeeOther) http.Redirect(w, r, authCodeURL, http.StatusSeeOther)
} }
@ -254,6 +256,11 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) {
return return
} }
if state := r.FormValue("state"); state != exampleAppState {
http.Error(w, fmt.Sprintf("expected state %q got %q", exampleAppState, state), http.StatusBadRequest)
return
}
code := r.FormValue("code") code := r.FormValue("code")
refresh := r.FormValue("refresh_token") refresh := r.FormValue("refresh_token")
var ( var (