From 03b7b8275dbff90714a53317f5131dc24287a8ce Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Thu, 2 Jun 2016 19:12:05 -0700
Subject: [PATCH] Don't trust session information

---
 src/oic/utils/rp/__init__.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/oic/utils/rp/__init__.py b/src/oic/utils/rp/__init__.py
index 42f2461f1..ad41102ca 100644
--- a/src/oic/utils/rp/__init__.py
+++ b/src/oic/utils/rp/__init__.py
@@ -117,15 +117,16 @@ def callback(self, response, session, format='dict'):
             else:
                 raise OIDCError("Access denied")
 
-        if session["state"] != authresp["state"]:
-            self._err("Received state not the same as expected.")
+        _state = authresp["state"]
+        # if session["state"] != authresp["state"]:
+        #     self._err("Received state not the same as expected.")
 
         try:
             _id_token = authresp['id_token']
         except KeyError:
             _id_token = None
         else:
-            if _id_token['nonce'] != session["nonce"]:
+            if _id_token['nonce'] != self.authz_req[_state]['nonce']:
                 self._err("Received nonce not the same as expected.")
 
         if self.behaviour["response_type"] == "code":
@@ -175,7 +176,7 @@ def callback(self, response, session, format='dict'):
         if _id_token['iss'] != self.provider_info['issuer']:
             self._err("Issuer mismatch")
 
-        if _id_token['nonce'] != session['nonce']:
+        if _id_token['nonce'] != self.authz_req[_state]['nonce']:
             self._err("Nonce mismatch")
 
         if not self.allow_sign_alg_none: