Add possibility to encode the state param as UrlEncodedBase64 (#2312)

* Add possibility to encode the state param as UrlEncodedBase64 * Update CHANGELOG.md * Update oauthproxy.go Co-authored-by: Jan Larwig <jan@larwig.com> --------- Co-authored-by: Jan Larwig <jan@larwig.com>
2025-06-15 00:15:00 +02:00 · 2024-01-20 20:08:30 +01:00
parent be84906fbc
commit bc022fbfd1
5 changed files with 50 additions and 9 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"embed"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -110,6 +111,8 @@ type OAuthProxy struct {
 	serveMux          *mux.Router
 	redirectValidator redirect.Validator
 	appDirector       redirect.AppDirector
+
+	encodeState bool
 }

 // NewOAuthProxy creates a new instance of OAuthProxy from the options provided
@ -239,6 +242,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
 		upstreamProxy:      upstreamProxy,
 		redirectValidator:  redirectValidator,
 		appDirector:        appDirector,
+		encodeState:        opts.EncodeState,
 	}
 	p.buildServeMux(opts.ProxyPrefix)

@ -796,7 +800,7 @@ func (p *OAuthProxy) doOAuthStart(rw http.ResponseWriter, req *http.Request, ove
 	callbackRedirect := p.getOAuthRedirectURI(req)
 	loginURL := p.provider.GetLoginURL(
 		callbackRedirect,
-		encodeState(csrf.HashOAuthState(), appRedirect),
+		encodeState(csrf.HashOAuthState(), appRedirect, p.encodeState),
 		csrf.HashOIDCNonce(),
 		extraParams,
 	)
@ -854,7 +858,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {

 	csrf.ClearCookie(rw, req)

-	nonce, appRedirect, err := decodeState(req)
+	nonce, appRedirect, err := decodeState(req.Form.Get("state"), p.encodeState)
 	if err != nil {
 		logger.Errorf("Error while parsing OAuth2 state: %v", err)
 		p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
@ -1194,18 +1198,28 @@ func checkAllowedEmails(req *http.Request, s *sessionsapi.SessionState) bool {

 // encodedState builds the OAuth state param out of our nonce and
 // original application redirect
-func encodeState(nonce string, redirect string) string {
-	return fmt.Sprintf("%v:%v", nonce, redirect)
+func encodeState(nonce string, redirect string, encode bool) string {
+	rawString := fmt.Sprintf("%v:%v", nonce, redirect)
+	if encode {
+		return base64.RawURLEncoding.EncodeToString([]byte(rawString))
+	}
+	return rawString
 }

 // decodeState splits the reflected OAuth state response back into
 // the nonce and original application redirect
-func decodeState(req *http.Request) (string, string, error) {
-	state := strings.SplitN(req.Form.Get("state"), ":", 2)
-	if len(state) != 2 {
+func decodeState(state string, encode bool) (string, string, error) {
+	toParse := state
+	if encode {
+		decoded, _ := base64.RawURLEncoding.DecodeString(state)
+		toParse = string(decoded)
+	}
+
+	parsedState := strings.SplitN(toParse, ":", 2)
+	if len(parsedState) != 2 {
 		return "", "", errors.New("invalid length")
 	}
-	return state[0], state[1], nil
+	return parsedState[0], parsedState[1], nil
 }

 // addHeadersForProxying adds the appropriate headers the request / response for proxying