State value in callback query doesn't compared with session stored value

[AlexanderSysoev]

At BaseOAuth20Provider.cs:

        // Start with the Cross Site Request Forgery check.
        var callbackState = queryStringParameters[StateKey];
        if (string.IsNullOrEmpty(callbackState))
        {
            var errorMessage =
                "The callback querystring doesn't include a state key/value parameter. We need one of these so we can to a CSRF check. Please check why the request url from the provider is missing the parameter: " +
                StateKey + ". eg. &state=something...";
            TraceSource.TraceError(errorMessage);
            throw new AuthenticationException(errorMessage);
        }

May be this line of code needed: callbackState.Equals(state, StringComparison.OrdinalIgnoreCase)

[PureKrome]

Hi @AlexanderSysoev - thanks for filing this issue.

can you please give some sample data where this fails the check, so I can understand the problem more.

plz?

[AlexanderSysoev]

@PureKrome I've not tested yet, but I didn't find any comparison inside this region: Cross Site Request Forgery checks -> state == state?

[PureKrome]

OK - so what you're saying is that I'm missing the state check in this part of the code?

(still trying to grok the problem)

[AlexanderSysoev]

OK - so what you're saying is that I'm missing the state check in this part of the code?

Exactly

[PureKrome]

Ok - ta. gotcha! Phew :)

BTW - how did you figure this out?

[AlexanderSysoev]

@PureKrome sorry for my bad communication skills)

how did you figure this out?

Just viewing the code)