Validate state before ID Token request

ricklambrechts · ricklambrechts · commit 7ef45166d591 · 2024-09-30T14:14:43.000+02:00
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -306,7 +306,15 @@ public function authenticate(): bool
 
         // If we have an authorization code then proceed to request a token
         if (isset($_REQUEST['code'])) {
+            // Do an OpenID Connect session check
+            if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
+                throw new OpenIDConnectClientException('Unable to determine state');
+            }
 
+            // Cleanup state
+            $this->unsetState();
+
+            // Request ID Token
             $code = $_REQUEST['code'];
             $token_json = $this->requestTokens($code);
 
@@ -318,14 +326,6 @@ public function authenticate(): bool
                 throw new OpenIDConnectClientException('Got response: ' . $token_json->error);
             }
 
-            // Do an OpenID Connect session check
-	    if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
-                throw new OpenIDConnectClientException('Unable to determine state');
-            }
-
-            // Cleanup state
-            $this->unsetState();
-
             if (!property_exists($token_json, 'id_token')) {
                 throw new OpenIDConnectClientException('User did not authorize openid scope.');
             }
@@ -379,7 +379,7 @@ public function authenticate(): bool
             $accessToken = $_REQUEST['access_token'] ?? null;
 
             // Do an OpenID Connect session check
-    	    if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
+            if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
                 throw new OpenIDConnectClientException('Unable to determine state');
             }
 
