FOSOAuthServerBundle icon indicating copy to clipboard operation
FOSOAuthServerBundle copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

Anti-CSRF blocks authorize form submission when _fos_oauth_server.ensure_logout is used

Open fracz opened this issue 6 years ago • 1 comments

Useing FOS OAuth v1.6.1.

I have configured the login form with setting the _fos_oauth_server.ensure_logout param as suggested in the note. When it is set, user cannot send the Allow/Deny form after successful authentication due to invalid CSRF token validation.

I haved debugged it to the following:

  1. When AuthorizationController sees this param, it invalidates the session. I suppose it's where the CSRF token is lost.
  2. Then it processes the form which leads to its validation.
  3. It returns false because $this->errors contains one CSRF token error because the session does not contain any token generated at all (proved in the debugger that this line returns false).
  4. Because the form validation failed, the Allow/Deny form id being rendered again.

fracz avatar Jul 11 '18 08:07 fracz

A PR is already open to fix this: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/pull/197

fxbt avatar Jul 19 '18 10:07 fxbt