From b1c0fc5583ba3cc74fdc10efce54282c2c931d11 Mon Sep 17 00:00:00 2001
From: Lukasz Raczylo <lukasz@raczylo.com>
Date: Mon, 2 Sep 2024 20:57:20 +0100
Subject: [PATCH] Resolve invalid state parameter issue.

---
 helpers.go | 2 +-
 main.go    | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/helpers.go b/helpers.go
index d487a0c..5aa9ea0 100644
--- a/helpers.go
+++ b/helpers.go
@@ -143,7 +143,7 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request)
 	sessionState, ok := session.Values["csrf"].(string)
 	if !ok || callbackState != sessionState {
 		handleError(rw, "Invalid state parameter", http.StatusBadRequest, t.logger)
-		return false, ""
+		return false, "invalid-state-param"
 	}
 
 	code := req.URL.Query().Get("code")
diff --git a/main.go b/main.go
index e594b6f..6977e4e 100644
--- a/main.go
+++ b/main.go
@@ -261,6 +261,13 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			http.Redirect(rw, req, originalPath, http.StatusFound)
 			return
 		}
+		if !authSuccess && originalPath == "invalid-state-param" {
+			// redirect to the root path so that the user can try again
+			// this usually happens when user was previously authenticated
+			// and the session was cleared, but user tries to refresh the page
+			// and different traefik instance is used.
+			http.Redirect(rw, req, "/", http.StatusFound)
+		}
 		http.Error(rw, "Authentication failed", http.StatusUnauthorized)
 		return
 	}