From 5e4cdc6a1293cecca1400ae3262017f325e60527 Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Sun, 20 Apr 2025 21:30:32 +0200
Subject: [PATCH] oidc: Add checking of state returned by IdP

---
 crates/frontend/src/oidc/mod.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crates/frontend/src/oidc/mod.rs b/crates/frontend/src/oidc/mod.rs
index fc976b5..dce73cf 100644
--- a/crates/frontend/src/oidc/mod.rs
+++ b/crates/frontend/src/oidc/mod.rs
@@ -131,6 +131,7 @@ pub async fn route_post_oidc(
 pub struct AuthCallbackQuery {
     code: AuthorizationCode,
     iss: IssuerUrl,
+    state: String,
 }
 
 /// Handle callback from IdP page
@@ -139,7 +140,7 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
     oidc_config: Data<OidcConfig>,
     session: Session,
     auth_provider: Data<AP>,
-    Query(AuthCallbackQuery { code, iss }): Query<AuthCallbackQuery>,
+    Query(AuthCallbackQuery { code, iss, state }): Query<AuthCallbackQuery>,
     default_redirect_name: Data<DefaultRedirectRouteName>,
 ) -> Result<impl Responder, OidcError> {
     assert_eq!(iss, oidc_config.issuer);
@@ -148,6 +149,8 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
         .ok_or(OidcError::Other("No local OIDC state"))?
         .map_err(|_| OidcError::Other("Error parsing OIDC state"))?;
 
+    assert_eq!(oidc_state.state.secret(), &state);
+
     let http_client = get_http_client();
     let oidc_client = get_oidc_client(
         oidc_config.get_ref().clone(),