Issue with generic OIDC provider #3782
-
After adding generic oidc provide as per docs. We are getting an error |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
I did some debugging on kratos code. Kratos is expecting the state query parameter in the callback to be a base64-encoded string, which contains a string format (UUID:data). Once decoded, it checks the UUID against different flows such as login, registration, and settings. If the UUID in the state query parameter matches the flow UUID generated by Kratos, it proceeds; otherwise, it may reject the request or handle it differently. This where it is failing - https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L255 If the state query parameter is expected to contain the Kratos flow ID, am I missing something? |
Beta Was this translation helpful? Give feedback.
This is correct. The reason is, that the state parameter is generated by Kratos and should be treated as an opaque token. If your provider does not return the state parameter, that seems like a security issue on the provider's side, as the state parameter is a vital security mechanism of OIDC. See also https://stackoverflow.com/questions/26132066/what-is-the-purpose-of-the-state-parameter-in-oauth-authorization-request