zamzterz/Flask-pyoidc

Authentication fails with "KeyError: 'state'"

Closed this issue · 3 comments

enkelli commented

Traceback:

  File "/home/enkelli/virtualenv/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/enkelli/virtualenv/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/enkelli/virtualenv/lib/python3.8/site-packages/flask_pyoidc/flask_pyoidc.py", line 145, in _handle_authentication_response
    flask.session.pop('state'),
  File "/home/enkelli/virtualenv/lib/python3.8/site-packages/werkzeug/datastructures.py", line 269, in pop
    rv = super(UpdateDictMixin, self).pop(key)
KeyError: 'state'

Unfortunatelly, I cannot provide steps how to reproduce this error. It happened only a few times, often when I went to my website after a longer period of inactivity (much more than session refresh interval but less than cookie expiration time).

In this code where error happens is simple dictionary pop(). I wonder what would happen if we prevent KeyError passing default (None) value there, i.e. flask.session.pop('state', None). It would prevent the KeyError. However, this may be just a nasty hack and I do not know what will follow with state = None. Another option I think of - detect this situation (missing state) and raise custom flask_pyoidc authentication error which would end in @auth.error_view.

zamzterz commented

Thanks for the report!

It's easily reproducible by sending any request to the redirect_uri endpoint when not having outstanding authentication request. Missing state can't really be ignored, so #90 makes the framework handle any such error more gracefully - i.e. returning an unsolicited_response error to any configured error view.

What's still unsolved is why such a request would end up reaching your application. With out more details I can't really be sure, so if you are able to catch some more debug details if this happens again that would be very helpful. 🙂

enkelli commented

Thank you for the fix!
I'm using a session sync addon in my browser, it is based on bookmarks and somehow the redirect URI was bookmarked. The error occurred on browser startup, i.e. addon restored my tabs - tab with an old redirect_uri was opened and it crashed.

zamzterz commented

That explains it - good to know it wasn't something in the framework 👍