From d8b07817e5c267456040748dabeb697616983243 Mon Sep 17 00:00:00 2001
From: Sigmund Augdal <sigmund.augdal@uninett.no>
Date: Thu, 5 Sep 2019 14:07:51 +0200
Subject: [PATCH] Create a state id without restart url

The restart url only makes sense for saml idps, and it will
potentially leak quite a bit of information that was encoded in the
url to the OP. Also the shorted state parameter makes for nice urls.
---
 lib/Auth/Source/OAuth2.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/Auth/Source/OAuth2.php b/lib/Auth/Source/OAuth2.php
index 617dd63..1480c09 100644
--- a/lib/Auth/Source/OAuth2.php
+++ b/lib/Auth/Source/OAuth2.php
@@ -104,7 +104,7 @@ public function authenticate(&$state)
         // We are going to need the authId in order to retrieve this authentication source later, in the callback
         $state[self::AUTHID] = $this->getAuthId();
 
-        $stateID = \SimpleSAML\Auth\State::saveState($state, self::STAGE_INIT);
+        $stateID = \SimpleSAML\Auth\State::saveState($state, self::STAGE_INIT, true);
 
         $providerLabel = $this->getLabel();
         Logger::debug("authoauth2: $providerLabel saved state with stateID=$stateID");