Attempt a redirect (once) if there's a state mismatch

2025-05-15 17:17:02 +02:00 · 2024-03-15 15:34:53 -04:00 · 2024-03-15 15:34:53 -04:00 · ea43a34dee
commit ea43a34dee
parent 63c0aec4b8
4 changed files with 34 additions and 20 deletions
--- a/src/djangooidc/oidc.py
+++ b/src/djangooidc/oidc.py
@ -182,14 +182,20 @@ class Client(oic.Client):

        if authn_response["state"] != session.get("state", None):
            # this most likely means the user's Django session vanished
-            logger.error(
-                f"Received state not the same as expected for {state}"
-                f"authn_response['state'] = {authn_response['state']}"
-                f"session.get('state', None) = {session.get('state', None)}"
-            )
            if session.get("state", None) is None:
-                raise o_e.NoStateDefined()
-            raise o_e.AuthenticationFailed(locator=state)
+                logger.error(
+                    f"The OP state {state} does not match the session state."
+                    f"The session state is None."
+                    f"authn_response['state'] = {authn_response['state']}"
+                    f"session.get('state', None) = {session.get('state', None)}"
+                )
+            else:
+                logger.error(
+                    f"The OP state {state} does not match the session state."
+                    f"authn_response['state'] = {authn_response['state']}"
+                    f"session.get('state', None) = {session.get('state', None)}"
+                )
+            raise o_e.StateMismatch()

        if self.behaviour.get("response_type") == "code":
            # need an access token to get user info (and to log the user out later)