Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TT-11298 - OAuth2 state param is a hard coded value #388

Open
codingWombat opened this issue Mar 8, 2024 · 0 comments
Open

TT-11298 - OAuth2 state param is a hard coded value #388

codingWombat opened this issue Mar 8, 2024 · 0 comments
Assignees
@buger
Labels
bug

Comments

@codingWombat
Copy link
Contributor

Branch/Environment

  • Branch: Master
  • Environment: On-prem

Describe the bug
In the current implementation tib only uses a hard coded state value, this violates the RFC 6749 that requires an opaque non guessable value. At least the initiator of the call should be able to pass a different value.

Reproduction steps
Steps to reproduce the behavior:
See https://github.com/TykTechnologies/tyk-identity-broker/blob/a68a680c31d00b7eec4e222ed7534600f88dcc12/tothic/tothic.go#L136C1-L138C1

Actual behavior
State is always state

Expected behavior
State is either an random opaque value or taken from the value the caller send.

Additional context
This bug was also reported as tyk support case #18436 and this resulted in the feature request TT-11298
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buger buger

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@buger @codingWombat