Claper icon indicating copy to clipboard operation
Claper copied to clipboard
verified publisher icon ClaperCo

fix: Add state parameter to OIDC authorization request (#143)

Open Excellencedev opened this issue 3 weeks ago • 3 comments

Summary

Fixes #143 - OIDC login fails with Authelia due to missing state parameter.

Problem

Authelia requires the state parameter in OIDC authorization requests (minimum 8 characters for entropy). The previous implementation didn't include this parameter, causing invalid_state errors.

Changes

  • Added generate_state/0 function to create cryptographically secure 32-byte state values
  • Store state in session alongside PKCE verifier during authorization
  • Validate returned state matches stored state on callback (CSRF protection)
  • Include state parameter in Oidcc.create_redirect_url options

/claim #143

Excellencedev avatar Dec 06 '25 14:12 Excellencedev

@alxlion Please review. I believe this fixes it

Excellencedev avatar Dec 06 '25 14:12 Excellencedev

seems formatting fails. will fx that later

Excellencedev avatar Dec 06 '25 14:12 Excellencedev

code formatted, builds,and test pass. ci should pass

Excellencedev avatar Dec 08 '25 05:12 Excellencedev