don't send state parameter in token request

aaronpk · aaronpk · commit f5f6efad7933 · 2017-04-26T14:44:35.000-07:00
A common mistake in the OAuth flow is expecting the client to send the state parameter in the token request. This fixes the token endpoint to not require that parameter. https://tools.ietf.org/html/rfc6749#section-4.1.3
diff --git a/README.md b/README.md
@@ -134,12 +134,11 @@ To get an access token, the client makes a POST request to the token endpoint, p
 * `me` - the user's URL
 * `redirect_uri` - must match the redirect URI used in the request to obtain the authorization code
 * `client_id` - must match the client ID used in the initial request
-* `state` - must match the state parameter used in the initial request 
 
 The following function will make a POST request to the token endpoint and parse the result.
 
 ```php
-$token = IndieAuth\Client::getAccessToken($tokenEndpoint, $_GET['code'], $_GET['me'], $redirect_uri, $client_id, $_GET['state']);
+$token = IndieAuth\Client::getAccessToken($tokenEndpoint, $_GET['code'], $_GET['me'], $redirect_uri, $client_id);
 ```
 
 The `$token` variable will look like the following:
diff --git a/src/IndieAuth/Client.php b/src/IndieAuth/Client.php
@@ -166,7 +166,7 @@ public static function build_url($parsed_url) {
   }
 
   // Used by clients to get an access token given an auth code
-  public static function getAccessToken($tokenEndpoint, $code, $me, $redirectURI, $clientID, $state, $debug=false) {
+  public static function getAccessToken($tokenEndpoint, $code, $me, $redirectURI, $clientID, $debug=false) {
     $ch = curl_init();
     self::_setUserAgent($ch);
     curl_setopt($ch, CURLOPT_URL, $tokenEndpoint);
@@ -177,7 +177,6 @@ public static function getAccessToken($tokenEndpoint, $code, $me, $redirectURI,
       'me' => $me,
       'code' => $code,
       'redirect_uri' => $redirectURI,
-      'state' => $state,
       'client_id' => $clientID
     )));
     $response = curl_exec($ch);
@@ -201,7 +200,7 @@ public static function getAccessToken($tokenEndpoint, $code, $me, $redirectURI,
   }
 
   // Used by a token endpoint to verify the auth code
-  public static function verifyIndieAuthCode($authorizationEndpoint, $code, $me, $redirectURI, $clientID, $state, $debug=false) {
+  public static function verifyIndieAuthCode($authorizationEndpoint, $code, $me, $redirectURI, $clientID, $debug=false) {
     $ch = curl_init();
     self::_setUserAgent($ch);
     curl_setopt($ch, CURLOPT_URL, $authorizationEndpoint);
@@ -210,7 +209,6 @@ public static function verifyIndieAuthCode($authorizationEndpoint, $code, $me, $
     curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
       'code' => $code,
       'redirect_uri' => $redirectURI,
-      'state' => $state,
       'client_id' => $clientID
     )));
     $response = curl_exec($ch);
