new flat for tryLogin to disable oauth2-style state check

manfredsteyer · Aug 28, 2017 · 91fa005 · 91fa005
1 parent 0e386a7
commit 91fa005
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 12 deletions.
diff --git a/angular-oauth2-oidc/src/oauth-service.ts b/angular-oauth2-oidc/src/oauth-service.ts
@@ -895,7 +895,8 @@ export class OAuthService {
             return Promise.reject('Either requestAccessToken or oidc or both must be true.');
         }
 
-        if (this.requestAccessToken && (!accessToken || !state)) return Promise.resolve();
+        if (this.requestAccessToken && !accessToken) return Promise.resolve();
+        if (this.requestAccessToken && !options.disableOAuth2StateCheck && !state) return Promise.resolve();
         if (this.oidc && !idToken) return Promise.resolve();
 
         var stateParts = state.split(';');
@@ -905,22 +906,16 @@ export class OAuthService {
         var nonceInState = stateParts[0];
 
 
-        // Our state might be URL encoded
-        // Check for this and then decode it if it is
-        // TODO: Check this!
-        /*
-        let decodedState = decodeURIComponent(state);
-        if (decodedState != state) {
-          state = decodedState;
-        }
-        */
-        if (this.requestAccessToken) {
+        if (this.requestAccessToken && !options.disableOAuth2StateCheck) {
             let success = this.validateNonceForAccessToken(accessToken, nonceInState);
             if (!success) {
                 let event = new OAuthErrorEvent('invalid_nonce_in_state', null);
                 this.eventsSubject.next(event);
                 return Promise.reject(event);
             }
+        }
+
+        if (this.requestAccessToken) {
             this.storeAccessTokenResponse(accessToken, null, parts['expires_in']);
         }
 

diff --git a/angular-oauth2-oidc/src/package.json b/angular-oauth2-oidc/src/package.json
@@ -1,6 +1,6 @@
 {
   "name": "angular-oauth2-oidc",
-  "version": "2.0.11",
+  "version": "2.0.12",
   "repository": {
     "type": "git",
     "url": "https://github.com/manfredsteyer/angular-oauth2-oidc"

diff --git a/angular-oauth2-oidc/src/types.ts b/angular-oauth2-oidc/src/types.ts
@@ -31,6 +31,16 @@ export class LoginOptions {
      * pass the iframes hash fragment to this method.
     */
     customHashFragment?: string;
+
+    /**
+     * Set this to true to disable the oauth2 state
+     * check which is a best practice to avoid
+     * security attacks. 
+     * As OIDC defines a nonce check that includes
+     * this, this can be set to true when only doing
+     * OIDC.
+     */
+    disableOAuth2StateCheck?: boolean;
 }
 
 /**