stable

Clone or download

Read-only

request #9717: OpenID Connect plugin can not create 2 authentication links for the same provider in the same request

The issue can be seen when one provider is set as unique authentication source, on the homepage the event LOGIN_ADDITIONAL_CONNECTOR and GET_LOGIN_URL are going to be called. Since these two events do not share state, the URL generated for the provider is going to be different: state signed with a different key and different nonce. We only store in the session one key to verify the state's signature and one expected nonce. During the same request, the generated states should all have the same signature key and nonce. Change-Id: I46e355a50614000302c3179718b6ae0509ef5518

Modified Files

Name
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/StateFactory.php +9 −5 Go to diff View file
M plugins/openidconnectclient/tests/Authentication/StateFactoryTest.php +27 −11 Go to diff View file