- OAuth2 + OIDC: add support for "state" parameter (owncloud/ios-app#…

…1219)
owncloud · Jun 21, 2023 · a07fed5 · a07fed5
1 parent 254cbac
commit a07fed5
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/ownCloudSDK/Authentication/OCAuthenticationMethodOAuth2.h b/ownCloudSDK/Authentication/OCAuthenticationMethodOAuth2.h
@@ -38,6 +38,9 @@ typedef NS_ENUM(NSInteger, OCAuthenticationOAuth2TokenRequestType)
 #pragma mark - PKCE support
 @property(strong,nullable) OCPKCE *pkce; //!< pre-configured PKCE object to use for Proof Key for Code Exchange
 
+#pragma mark - State
+@property(strong,nullable) NSString *state; //!< pre-filled UUID string to use as state parameter (specification: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-00#section-4.1.1.3)
+
 #pragma mark - Subclassing points
 - (nullable NSURL *)authorizationEndpointURLForConnection:(OCConnection *)connection options:(OCAuthenticationMethodDetectionOptions)options;
 - (nullable NSURL *)tokenEndpointURLForConnection:(OCConnection *)connection options:(OCAuthenticationMethodDetectionOptions)options;

diff --git a/ownCloudSDK/Authentication/OCAuthenticationMethodOAuth2.m b/ownCloudSDK/Authentication/OCAuthenticationMethodOAuth2.m
@@ -162,6 +162,16 @@ + (OCClassSettingsMetadataCollection)classSettingsMetadata
 	});
 }
 
+- (instancetype)init
+{
+	if ((self = [super init]) != nil)
+	{
+		self.state = NSUUID.UUID.UUIDString;
+	}
+
+	return (self);
+}
+
 #pragma mark - Identification
 + (OCAuthenticationMethodType)type
 {
@@ -383,6 +393,8 @@ - (void)generateBookmarkAuthenticationDataWithConnection:(OCConnection *)connect
 			@"client_id" 	  	 : [self clientID],
 			@"redirect_uri"   	 : [self redirectURIForConnection:connection],
 
+			@"state"		 : (self.state != nil) ? self.state : ((NSString *)NSNull.null),
+
 			// OAuth2 PKCE
 			@"code_challenge" 	 : (self.pkce.codeChallenge != nil) ? self.pkce.codeChallenge : ((NSString *)NSNull.null),
 			@"code_challenge_method" : (self.pkce.method != nil) ? self.pkce.method : ((NSString *)NSNull.null),
@@ -402,12 +414,32 @@ - (void)generateBookmarkAuthenticationDataWithConnection:(OCConnection *)connect
 				OCLogDebug(@"Auth session returned with callbackURL=%@, error=%@", OCLogPrivate(callbackURL), error);
 
 				// Handle authentication session result
+				if ((error == nil) && (self.state != nil))
+				{
+					// Verify "state" requirements from https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-00#name-authorization-response
+					NSString *returnedState;
+
+					if ((returnedState = callbackURL.queryParameters[@"state"]) != nil)
+					{
+						if (![returnedState isEqual:self.state])
+						{
+							// Returned "state" differs from the "state" that was sent
+							error = OCError(OCErrorAuthorizationFailed);
+						}
+					}
+					else
+					{
+						// If "state" was sent with the authorization request, it is REQUIRED to be returned
+						error = OCError(OCErrorAuthorizationFailed);
+					}
+				}
+
 				if (error == nil)
 				{
 					NSString *authorizationCode;
 
 					// Obtain Authorization Code
-					if ((authorizationCode = [callbackURL queryParameters][@"code"]) != nil)
+					if ((authorizationCode = callbackURL.queryParameters[@"code"]) != nil)
 					{
 						OCLogDebug(@"Auth session concluded with authorization code: %@", OCLogPrivate(authorizationCode));