From 085fc4a9eb7d1e2a0f7b48baa1f09a8ba0d515e1 Mon Sep 17 00:00:00 2001
From: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date: Tue, 20 May 2025 09:08:46 +0200
Subject: [PATCH] fix(openid): add state in connection flow

---
 SoObjects/SOGo/SOGoOpenIdSession.m | 9 +++++++++
 UI/MainUI/SOGoUserHomePage.m       | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/SoObjects/SOGo/SOGoOpenIdSession.m b/SoObjects/SOGo/SOGoOpenIdSession.m
index 0dda9b5c2..38710f4a1 100644
--- a/SoObjects/SOGo/SOGoOpenIdSession.m
+++ b/SoObjects/SOGo/SOGoOpenIdSession.m
@@ -18,6 +18,8 @@
  * Boston, MA 02111-1307, USA.
  */
 
+#import <Foundation/NSProcessInfo.h>
+
 #import <NGObjWeb/WOHTTPConnection.h>
 #import <NGObjWeb/WORequest.h>
 #import <NGObjWeb/WOResponse.h>
@@ -435,6 +437,12 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
          nextCheckAfter: nextCheck];
 }
 
+
+-(NSString *) _random_state
+{
+    return [[[NSProcessInfo processInfo] globallyUniqueString] asSHA1String];;
+}
+
 - (NSString*) loginUrl: (NSString *) oldLocation
 {
   NSString* logUrl;
@@ -442,6 +450,7 @@ static BOOL SOGoOpenIDDebugEnabled = YES;
   logUrl = [logUrl stringByAppendingString: @"&response_type=code"];
   logUrl = [logUrl stringByAppendingFormat: @"&client_id=%@", self->openIdClient];
   logUrl = [logUrl stringByAppendingFormat: @"&redirect_uri=%@", oldLocation];
+  logUrl = [logUrl stringByAppendingFormat: @"&state=%@", [self _random_state]];
   if(self->forDomain != nil && [self->forDomain length] > 0)
     logUrl = [logUrl stringByAppendingFormat: @"&sogo_domain=%@", forDomain];
   // logurl = [self->logurl stringByAppendingFormat: @"&state=%@", state];
diff --git a/UI/MainUI/SOGoUserHomePage.m b/UI/MainUI/SOGoUserHomePage.m
index 9a56ed962..e9c5d9573 100644
--- a/UI/MainUI/SOGoUserHomePage.m
+++ b/UI/MainUI/SOGoUserHomePage.m
@@ -447,9 +447,9 @@
   }
   else if ([authType isEqualToString: @"openid"])
   {
-    SOGoOpenIdSession* session;
-    session = [SOGoOpenIdSession OpenIdSession: loginDomain];
-    redirectURL = [session logoutUrl];
+    SOGoOpenIdSession* sessionOidc;
+    sessionOidc = [SOGoOpenIdSession OpenIdSession: loginDomain];
+    redirectURL = [sessionOidc logoutUrl];
   }
 #if defined(SAML2_CONFIG)
   else if ([authType isEqualToString: @"saml2"])