Authentication fails with "KeyError: 'state'"
Closed this issue · 3 comments
Traceback:
File "/home/enkelli/virtualenv/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/home/enkelli/virtualenv/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/enkelli/virtualenv/lib/python3.8/site-packages/flask_pyoidc/flask_pyoidc.py", line 145, in _handle_authentication_response
flask.session.pop('state'),
File "/home/enkelli/virtualenv/lib/python3.8/site-packages/werkzeug/datastructures.py", line 269, in pop
rv = super(UpdateDictMixin, self).pop(key)
KeyError: 'state'
Unfortunatelly, I cannot provide steps how to reproduce this error. It happened only a few times, often when I went to my website after a longer period of inactivity (much more than session refresh interval but less than cookie expiration time).
In this code where error happens is simple dictionary pop()
. I wonder what would happen if we prevent KeyError
passing default (None
) value there, i.e. flask.session.pop('state', None)
. It would prevent the KeyError
. However, this may be just a nasty hack and I do not know what will follow with state = None
. Another option I think of - detect this situation (missing state
) and raise custom flask_pyoidc
authentication error which would end in @auth.error_view
.
Thanks for the report!
It's easily reproducible by sending any request to the redirect_uri endpoint when not having outstanding authentication request. Missing state
can't really be ignored, so #90 makes the framework handle any such error more gracefully - i.e. returning an unsolicited_response
error to any configured error view.
What's still unsolved is why such a request would end up reaching your application. With out more details I can't really be sure, so if you are able to catch some more debug details if this happens again that would be very helpful. 🙂
Thank you for the fix!
I'm using a session sync addon in my browser, it is based on bookmarks and somehow the redirect URI was bookmarked. The error occurred on browser startup, i.e. addon restored my tabs - tab with an old redirect_uri
was opened and it crashed.
That explains it - good to know it wasn't something in the framework 👍