From b8b9154077963492dad3ed0350a4d93d09a95602 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Wed, 21 Jun 2023 12:00:50 +0200 Subject: [PATCH] feat: add state override --- cmd/cmd_perform_authorization_code.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/cmd/cmd_perform_authorization_code.go b/cmd/cmd_perform_authorization_code.go index 78bc2dbc120..60c0ae57425 100644 --- a/cmd/cmd_perform_authorization_code.go +++ b/cmd/cmd_perform_authorization_code.go @@ -132,15 +132,19 @@ and success, unless if the --no-shutdown flag is provided.`, Scopes: scopes, } - var generateAuthCodeURL = func() (string, []rune) { - state, err := randx.RuneSequence(24, randx.AlphaLower) - cmdx.Must(err, "Could not generate random state: %s", err) + var generateAuthCodeURL = func() (string, string) { + state := flagx.MustGetString(cmd, "state") + if len(state) == 0 { + generatedState, err := randx.RuneSequence(24, randx.AlphaLower) + cmdx.Must(err, "Could not generate random state: %s", err) + state = string(generatedState) + } nonce, err := randx.RuneSequence(24, randx.AlphaLower) cmdx.Must(err, "Could not generate random state: %s", err) authCodeURL := conf.AuthCodeURL( - string(state), + state, oauth2.SetAuthURLParam("audience", strings.Join(audience, "+")), oauth2.SetAuthURLParam("nonce", string(nonce)), oauth2.SetAuthURLParam("prompt", strings.Join(prompt, "+")), @@ -295,6 +299,7 @@ and success, unless if the --no-shutdown flag is provided.`, cmd.Flags().String("client-id", os.Getenv("OAUTH2_CLIENT_ID"), "Use the provided OAuth 2.0 Client ID, defaults to environment variable OAUTH2_CLIENT_ID") cmd.Flags().String("client-secret", os.Getenv("OAUTH2_CLIENT_SECRET"), "Use the provided OAuth 2.0 Client Secret, defaults to environment variable OAUTH2_CLIENT_SECRET") + cmd.Flags().String("state", "", "Force a state value (insecure)") cmd.Flags().String("redirect", "", "Force a redirect url") cmd.Flags().StringSlice("audience", []string{}, "Request a specific OAuth 2.0 Access Token Audience") cmd.Flags().String("auth-url", "", "Usually it is enough to specify the `endpoint` flag, but if you want to force the authorization url, use this flag")