From f9bf07a5b91ca0bc64e1e9cb2b99d07c9c594290 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sch=C3=A4fer?= <felix@thegcat.net>
Date: Fri, 11 Oct 2024 20:29:14 +0200
Subject: [PATCH] Remove nonces, state is enough

---
 pretix_oidc/auth.py | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pretix_oidc/auth.py b/pretix_oidc/auth.py
index 245751c..2936fc7 100644
--- a/pretix_oidc/auth.py
+++ b/pretix_oidc/auth.py
@@ -59,10 +59,8 @@ class OIDCAuthBackend(BaseAuthBackend):
 
     def authentication_url(self, request):
         oidc_state = rndstr()
-        oidc_nonce = rndstr()
         request.session["oidc_state"] = {
             oidc_state: {
-                "nonce": oidc_nonce,
                 "next": request.GET.get("next", None),
                 "generated_on": int(time.time()),
             }
@@ -73,7 +71,6 @@ class OIDCAuthBackend(BaseAuthBackend):
                 "client_id": self.client.client_id,
                 "response_type": "code",
                 "scope": self.scopes,
-                "nonce": oidc_nonce,
                 "redirect_uri": self.redirect_uri(request),
                 "state": oidc_state,
             }
@@ -104,9 +101,6 @@ class OIDCAuthBackend(BaseAuthBackend):
         if response_state not in oidc_state:
             return [None, None]
 
-        if auth_response["nonce"] != oidc_state[response_state]["nonce"]:
-            return [None, None]
-
         if oidc_state[response_state]["generated_on"] < time.time() + 5 * 60:
             return [None, None]
 
-- 
GitLab