State token removed from session before authorization is complete [#3205369]

Since #2923213: Use session manager instead of accessing $_SESSION directly connecting an account on the Connected accounts page (/user/1/connected-accounts) no longer works and results in an access denied page on multilingual websites.

This page results in an access denied page since the first time /user/1/connected-accounts is visited and checked if the user has access to this page. Then the user will redirect to en/user/1/connected-accounts (probably because I have the URL detection method enabled) and access is checked again.

  public function access(): AccessResultInterface {
    // Confirm anti-forgery state token. This round-trip verification helps to
    // ensure that the user, not a malicious script, is making the request.
    $request = $this->requestStack->getCurrentRequest();
    $state_token = $request->get('state');
    if ($state_token && $this->stateToken->confirm($state_token)) {
      return AccessResult::allowed();
    }
    return AccessResult::forbidden();
  }

In the access method the state value is retrieved and removed from the session. So the second time, the value is retrieved again from the session, but is no longer available, which will result in an access denied error.

Comment	File	Size	Author
#2	3205369-2.patch	512 bytes	JeroenT

Issue fork openid_connect-3205369

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3205369-state-token-removed compare
Check out this branch

About issue forks

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

24 March 2021 at 12:19

JeroenT created an issue. See original summary.

Comment #2

JeroenT

Dutch

🇧🇪

CreditAttribution: JeroenT at iO commented 24 March 2021 at 12:20

Status:

Active

» Needs review

File	Size
3205369-2.patch	512 bytes

The patch attached is a quickfix and solves the problem. But the state value is no longer cleared from the session.

Comment #3

jcnventura CreditAttribution: jcnventura at 1xINTERNET commented 24 March 2021 at 18:21

Before I moved everything to the OpenIDConnectSession class, the state token was being cleared on it's own somewhere else. I think this is partly the reason for that. I'll need to add back the removeStateToken method to that class. The other session usages clear the session just after reading it, so I decided to combine it into one.

Comment #4

jcnventura CreditAttribution: jcnventura at 1xINTERNET commented 26 March 2021 at 11:49

Title:

Connect account user page no longer works on multilingual website

» State token removed from session before authorization is complete

Comment #5

26 March 2021 at 11:49

jcnventura authored 6d56b91 on 2.x

Issue #3205369 by JeroenT, jcnventura: State token removed from session...

Comment #6

jcnventura CreditAttribution: jcnventura at 1xINTERNET commented 26 March 2021 at 11:50

Status:

Needs review

» Fixed

I added a 'clear' flag to the retrieveZZ() methods of the session class. The getStateToken wil use that flag set to FALSE in the only placed it was being called, and I've added a new call to the same method with the default value of TRUE where the old unset($_SESSION) used to be.