Flow error about web-auth HOT 4 CLOSED

Unclear what's causing this.

The OAuth2Flow flow works as follows:

1. If no state is in session or no state parameter is passed, start authorization flow by:
   a. creating 32 random bytes as state
   b. storing them in the session
   b. redirecting the user to the authorization page, appending the state
2. The authorization page now performs its duty and redirects back to us, passing back the state
3. If the session state matches the state parameter, exchange the auth code for an access token by:
   a. performing a post-back to the authorization page
   b. storing the returned access token in the session
   c. redirecting to ourselves, removing the URL parameters from step 2
4. Read (and subsequently remove) the access token from the session, returning flow control

We can reach this "flow error" condition if step 2 fails to return the state we passed (very unlikely in this case, it would be a O365 SSO error), or if the session value gets exchanged with a different value while steps 2..4 haven't completed yet.

from web-auth.

...or if the session value gets exchanged with a different value while steps 2..4 haven't completed yet.

A new value is generated when a) no state is in session... (error message above rules this out)
or b) no state parameter is passed.

So basically if I do the following:

1. Open the app URL, follow the redirect. This creates the session value and passes it to the SSO.
2. In a new tab, open the app URL. This changes the session value.
3. Go back to the first tab and continue authenticating there. The SSO passes back the value created during step 1

For this to work, the SSO may not immediately redirect back in step 1, that is, we need to log out.

from web-auth.

I haven't been able to reproduce the issue, but we should be able to fix this issue as follows:

diff --git a/src/main/php/web/auth/oauth/OAuth2Flow.class.php b/src/main/php/web/auth/oauth/OAuth2Flow.class.php
index 50d3f48..544dbd9 100755
--- a/src/main/php/web/auth/oauth/OAuth2Flow.class.php
+++ b/src/main/php/web/auth/oauth/OAuth2Flow.class.php
@@ -130,9 +130,15 @@ class OAuth2Flow extends Flow {
     // Start authorization flow to acquire an access token
     $server= $request->param('state');
     if (null === $stored || null === $server) {
-      $state= bin2hex($this->rand->bytes(16));
-      $session->register(self::SESSION_KEY, ['state' => $state, 'target' => (string)$uri]);
-      $session->transmit($response);
+
+      // Reuse state
+      if (isset($stored['state'])) {
+        $state= $stored['state'];
+      } else {
+        $state= bin2hex($this->rand->bytes(16));
+        $session->register(self::SESSION_KEY, ['state' => $state, 'target' => (string)$uri]);
+        $session->transmit($response);
+      }
 
       // Redirect the user to the authorization page
       $params= [

from web-auth.

Fix released in https://github.com/xp-forge/web-auth/releases/tag/v3.4.1

from web-auth.