Don't trust session information

CZ-NIC · Jun 3, 2016 · 03b7b82 · 03b7b82
1 parent 53e5935
commit 03b7b82
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/src/oic/utils/rp/__init__.py b/src/oic/utils/rp/__init__.py
@@ -117,15 +117,16 @@ def callback(self, response, session, format='dict'):
             else:
                 raise OIDCError("Access denied")
 
-        if session["state"] != authresp["state"]:
-            self._err("Received state not the same as expected.")
+        _state = authresp["state"]
+        # if session["state"] != authresp["state"]:
+        #     self._err("Received state not the same as expected.")
 
         try:
             _id_token = authresp['id_token']
         except KeyError:
             _id_token = None
         else:
-            if _id_token['nonce'] != session["nonce"]:
+            if _id_token['nonce'] != self.authz_req[_state]['nonce']:
                 self._err("Received nonce not the same as expected.")
 
         if self.behaviour["response_type"] == "code":
@@ -175,7 +176,7 @@ def callback(self, response, session, format='dict'):
         if _id_token['iss'] != self.provider_info['issuer']:
             self._err("Issuer mismatch")
 
-        if _id_token['nonce'] != session['nonce']:
+        if _id_token['nonce'] != self.authz_req[_state]['nonce']:
             self._err("Nonce mismatch")
 
         if not self.allow_sign_alg_none: