openidconnect-rs icon indicating copy to clipboard operation
openidconnect-rs copied to clipboard

Published 20 hours ago verified publisher icon ramosbugs

Question: is is right csrf_token from the PKCE example is unused?

Open LuckyTurtleDev opened this issue 9 months ago • 2 comments

I try to run the PKCE example from the doc.rs page. But it get this warning

 1  warning: unused variable: `csrf_token`
   --> src/main.rs:38:20
    |
 38 |     let (auth_url, csrf_token, nonce) = client
    |                    ^^^^^^^^^^ help: if this is intentional, prefix it with an underscore: `_csrf_token`
    |
    = note: `#[warn(unused_variables)]` on by default

https://docs.rs/openidconnect/latest/src/openidconnect/lib.rs.html#191

Is the csrf_token is not needed anymore, or it just missing at the example?

LuckyTurtleDev avatar Feb 17 '25 15:02 LuckyTurtleDev

I have just been through this figuring this out and as far as I can make out, it should be used but the docs gloss over it a bit

For security reasons, your code should verify that the state parameter returned by the server matches csrf_state

where csrf_state is the secret from the unused csrf_token and state is one of the query parameters passed to the redirect URL by the auth provider.

The example makes it appear that the whole block can be run at once whereas there are two separate sections, before and after the user logs in and you've retrieved the code from the redirect URL query.

tpoliaw avatar Feb 18 '25 14:02 tpoliaw

thanks for the answer. Is this the comparison which should be done in constant time? https://docs.rs/openidconnect/latest/openidconnect/

LuckyTurtleDev avatar Feb 20 '25 13:02 LuckyTurtleDev