The "state" value within "showSignIn" response is undefined, or has an unexpected value when redirected.

[YImhof]

Describe the bug

Using Typescript, showSignIn signature defines RenderResult as promised return type, which, in case of succeeded OIdC login, resolves to RenderResultSuccessOIDC that has a state field.

That state field remains always undefined. From the client app's point of view, as there is no redirection, checking the state matching can appear not very valuable, except perhaps for consistency.

But what is more critical occurs in case of redirection, when another identity provider has been chosen by the user (for example through a "Sign-in with Google" button configured in widget's idps property). The value of the state field received by the redirect callback does not match the given one through RenderOptions argument:

const renderOptions: RenderOptions = {
    state: stateParam,
    nonce: nonceParam
};
const response: RenderResult = await this.oktaClient.showSignIn(renderOptions);

Reproduction Steps

Using the attached file:

• extract file showSignInTest.html from archive and configure needed constants in the script tag
• allow the defined redirect url in your Okta application
• configure a secondary identity provider for your Okta application
• publish the file with your preferred web server (HTTPS protocol needed)

Displaying the file in a browser you will get:

• an alert "Undefined state" if your Okta user is already logged in.
• an alert like "oyPlr5bW4adJJl5aLAuOk5KavLvgoLVf3Obct7TlMiONx0c6AQLPHaj8FMyD9rvP <> myStateValueHash" after successful login through secondary identity provider.

showSignInTest.zip

SDK Versions

System:

• OS: Windows 10 10.0.19045
• CPU: (8) x64 Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz
• Memory: 5.64 GB / 15.78 GB

Binaries:

• nvm: 1.1.11
• Node: 18.17.1 - C:\Program Files\nodejs\node.EXE
• npm: 9.6.7 - C:\Program Files\nodejs\npm.CMD

Browsers: (in preference order)

• Firefox: 117.0 (64-bit)
• Chrome: 118.0.5951.0 (Official Build) dev (64-bit)
• Edge: Spartan (44.19041.1266.0), Chromium (116.0.1938.62)
• Internet Explorer: 11.0.19041.1566

npmPackages:

• @okta/okta-auth-js: ^7.2.0 => 7.2.0
• @okta/okta-signin-widget: ^7.9.1 => 7.9.1

Remark: I do not use IE anymore ... ;-)

Additional Information

No response

[jaredperreault-okta]

@YImhof Just to clarify, you're observing 2 separate issues:

1. When no redirect is performed, no state value is returned
2. When using an external IDP (which involves a redirect), the state param returned does not match the external IDP's state param

Is my understanding correct?

[YImhof]

@jaredperreault-okta Your understanding is correct, yes, although, imho, these two different behaviors have the same origin.

Regarding the second case, involving a redirect, I am not sure about the "does not match the external IDP's state", and to be honest, I think that the widget should be in charge of checking the match of its own state value returned by the secondary IDP.

What I need to check is the match of the state value I passed in the showSignIn options. And for now, the returned value by the widget does not match, which could be the result of a CSRF attack and therefore should invalidate the login process ...

[shuowu-okta]

Internal ref: OKTA-644935