OAuth Invalid Session Key - State encoding issue

OAuth Invalid Session Key - State encoding issue

by Brian walker -
Number of replies: 2

I'm trying to use Moodle's core OAuth implentation to integrate with Cognito. 
(Moodle 3.8)

The issue I'm running into exactly matches this (closed) thread from a couple of years ago: 
https://moodle.org/mod/forum/discuss.php?d=370241

I've traced the issue to:
moodle/lib/oauthlib.php::515
'state' => $this->returnurl->out_as_local_url(false),

if I set the argument value of out_as_local_url (escaped) to TRUE it works.

Basically, the core logic expects sesskey to be a query-parameter of the state request parameter, but because the argument is improperly escaped, sesskey is a param of the request.

Currently, the only alternative I can find, that doesn't involve hacking core, is creating a new oauth auth-plugin to change one line in login.php to correctly encode the state request parameter.

I would welcome an alternative.

Thanks.


Average of ratings: -
In reply to Brian walker

Re: OAuth Invalid Session Key - State encoding issue

by David M -

Hi, I'm facing the same issue as you, did you finally found a definitive solution?

I tried changing the line 515 of oauthlib.php from 'state' => $this->returnurl->out_as_local_url(false), to 'state' => $this->returnurl->out_as_local_url(true), but I'm still getting the invalid sesskey using AWS cognito.

Thanks in advance.

Average of ratings: -
In reply to David M

Re: OAuth Invalid Session Key - State encoding issue

by Sanjay Pant -
Hi David, this worked for me while using AWS cognito

'state' => urlencode(urldecode($this->returnurl->out_as_local_url(false))),
Average of ratings: -