Skip to content

Commit

Permalink
OpenID: State parameter needs to be generated by client
Browse files Browse the repository at this point in the history
  • Loading branch information
Sapd committed Apr 6, 2024
1 parent bc5e047 commit 19b9c6a
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions source/includes/_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ Status | Meaning | Description
## OAuth2 Authorization Request

```shell
curl "https://abs.example.com/auth/openid?code_challenge=1234&code_challenge_method=S256&redirect_uri=audiobookshelf%3A%2F%2Foauth&client_id=Audiobookshelf-App&response_type=code"
curl "https://abs.example.com/auth/openid?code_challenge=1234&code_challenge_method=S256&redirect_uri=audiobookshelf%3A%2F%2Foauth&client_id=Audiobookshelf-App&response_type=code&state=42"
```

> Response header (depending on SSO provider)
Expand All @@ -166,6 +166,8 @@ This endpoint starts a standard OAuth2 flow with PKCE (required - S256; see [RFC
For the `code_challenge`, you must randomly generate a minimum 32-byte string called verifier (PKCE challenge).
With the verifier, you can then generate the challenge. See the examples on the right side.

Also you must generate a random string and send it in the `state` parameter.


> Code Challenge Pseudo-Code
Expand Down Expand Up @@ -195,11 +197,13 @@ function generateRandomString() {

const verifier = generateRandomString()
const challenge = base64URLEncode(await sha256(verifier))

const state = generateRandomString()
```

On a valid request, it will return a 302-redirect (usually with a `Location:` header), which will point to the ABS-configured OAuth2 Provider.
You would usually have to open this redirect-URL in a Browser to present to the user.
Note that inside the redirect URL, among other parameters, there is a `state` parameter; save it for below.
It will include your generated `state`-parameter, check if it matches.
You would usually then have to open this redirect-URL in a Browser to present to the user.

Note that you will have to preserve the cookies you receive in this call for using it in `/auth/openid/callback` (check if you need to set a parameter for the HTTP library you are using for that).

Expand All @@ -225,6 +229,7 @@ Parameter | Type | Default | Description
`response_type` | String | code | Only `code` is supported
`redirect_uri` | String | **Required** | URL where to redirect after a successful login. Must be whitelisted in ABS
`client_id` | String | **Required** | The name of your app (currently not used, but might be required at some point)
`state` | String | **Required** | A randomly generated string, which must match in subsequent requests

Other parameters are ignored.

Expand Down Expand Up @@ -290,7 +295,7 @@ It's important to note that the call to `/auth/openid/callback` is stateful. Thi

Parameter | Type | Default | Description
--------- | ---- | ------- | -----------
`state` | String | **Required** | The state string you received when `redirect_uri` was called
`state` | String | **Required** | The state string you generated in the first request
`code` | String | **Required** | The code you received when `redirect_uri` was called
`code_verifier` | String | **Required** | This is the verifier you generated when providing the `code_challenge` in the first request

Expand Down

0 comments on commit 19b9c6a

Please sign in to comment.