Merge pull request #1000 from Rocket18/issue/993

manfredsteyer · web-flow · commit e96f2fa80cbe · 2021-07-16T16:56:29.000+02:00
disableOAuth2StateCheck before calling validateNonce() in code flow
diff --git a/projects/lib/src/oauth-service.ts b/projects/lib/src/oauth-service.ts
@@ -1734,14 +1734,15 @@ export class OAuthService extends AuthConfig implements OnDestroy {
         return Promise.resolve();
       }
 
+    if(!options.disableOAuth2StateCheck) {
       const success = this.validateNonce(nonceInState);
       if (!success) {
         const event = new OAuthErrorEvent('invalid_nonce_in_state', null);
         this.eventsSubject.next(event);
         return Promise.reject(event);
       }
     }
-
+    
     this.storeSessionState(sessionState);
 
     if (code) {

Original file line number	Diff line number	Diff line change
`@@ -1734,14 +1734,15 @@ export class OAuthService extends AuthConfig implements OnDestroy {`
`1734`	`1734`	`return Promise.resolve();`
`1735`	`1735`	`}`
`1736`	`1736`
	`1737`	`+ if(!options.disableOAuth2StateCheck) {`
`1737`	`1738`	`const success = this.validateNonce(nonceInState);`
`1738`	`1739`	`if (!success) {`
`1739`	`1740`	`const event = new OAuthErrorEvent('invalid_nonce_in_state', null);`
`1740`	`1741`	`this.eventsSubject.next(event);`
`1741`	`1742`	`return Promise.reject(event);`
`1742`	`1743`	`}`
`1743`	`1744`	`}`
`1744`		`-`
	`1745`	`+`
`1745`	`1746`	`this.storeSessionState(sessionState);`
`1746`	`1747`
`1747`	`1748`	`if (code) {`