Resolve invalid state parameter issue.

2026-06-05 22:44:17 +00:00 · 2024-09-02 20:57:20 +01:00
parent e9e1fccf5e
commit b1c0fc5583
2 changed files with 8 additions and 1 deletions
@@ -143,7 +143,7 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request)
 	sessionState, ok := session.Values["csrf"].(string)
 	if !ok || callbackState != sessionState {
 		handleError(rw, "Invalid state parameter", http.StatusBadRequest, t.logger)
-		return false, ""
+		return false, "invalid-state-param"
 	}

 	code := req.URL.Query().Get("code")
@@ -261,6 +261,13 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			http.Redirect(rw, req, originalPath, http.StatusFound)
 			return
 		}
+		if !authSuccess && originalPath == "invalid-state-param" {
+			// redirect to the root path so that the user can try again
+			// this usually happens when user was previously authenticated
+			// and the session was cleared, but user tries to refresh the page
+			// and different traefik instance is used.
+			http.Redirect(rw, req, "/", http.StatusFound)
+		}
 		http.Error(rw, "Authentication failed", http.StatusUnauthorized)
 		return
 	}