Describe the bug

The Keycloak client uses the state OAuth 2.0 parameter, which is not mandatory but strongly recommended 👍.

I see in the client code that, when parsing the callback URL, it checks that the state parameter exists, but never checks if its value matches the one it generated at the beginning of the flow. I think this could lead to security vulnerability.

Could you please tell me if I'm right, and if so, fix this?

Thanks a lot!

Version

26.0.6

Expected behavior

If the client gets a response with a different state token than the one it initially generated, it should stop the authentication flow.

Actual behavior

If the client gets a response with a different state token than the one it initially generated, it continues with the authentication flow.

How to Reproduce?

Edit the state parameter that is returned by the server.

Anything else?

No response