cmd/example-app: use a non-empty state

Use a non-empty state in the example-app to ensure dex is properly preserving the state for the code flow. Updates #712
9 years ago · aebb6818b7
1 changed files with 9 additions and 2 deletions
--- a/cmd/example-app/main.go
+++ b/cmd/example-app/main.go
@ -23,6 +23,8 @@ import (
 	"golang.org/x/oauth2"
 )

+const exampleAppState = "I wish to wash my irish wristwatch"
+
 type app struct {
 	clientID     string
 	clientSecret string
@ -241,9 +243,9 @@ func (a *app) handleLogin(w http.ResponseWriter, r *http.Request) {
 	scopes = append(scopes, "openid", "profile", "email")
 	if a.offlineAsScope {
 		scopes = append(scopes, "offline_access")
-		authCodeURL = a.oauth2Config(scopes).AuthCodeURL("")
+		authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState)
 	} else {
-		authCodeURL = a.oauth2Config(scopes).AuthCodeURL("", oauth2.AccessTypeOffline)
+		authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState, oauth2.AccessTypeOffline)
 	}
 	http.Redirect(w, r, authCodeURL, http.StatusSeeOther)
 }
@ -254,6 +256,11 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if state := r.FormValue("state"); state != exampleAppState {
+		http.Error(w, fmt.Sprintf("expected state %q got %q", exampleAppState, state), http.StatusBadRequest)
+		return
+	}
+
 	code := r.FormValue("code")
 	refresh := r.FormValue("refresh_token")
 	var (