oidc/oauth2: use an opaque state

Signed-off-by: Nicola Murino <[email protected]>

internal/httpd/oauth2.go

@@ -15,13 +15,13 @@
 package httpd
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"sync"
 	"time"
 
-	"github.com/rs/xid"
-
 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
 	"github.com/drakkan/sftpgo/v2/internal/kms"
 	"github.com/drakkan/sftpgo/v2/internal/logger"
@@ -53,8 +53,10 @@ type oauth2PendingAuth struct {
 }
 
 func newOAuth2PendingAuth(provider int, redirectURL, clientID string, clientSecret *kms.Secret) oauth2PendingAuth {
+	state := sha256.Sum256(util.GenerateRandomBytes(32))
+
 	return oauth2PendingAuth{
-		State:        xid.New().String(),
+		State:        hex.EncodeToString(state[:]),
 		Provider:     provider,
 		ClientID:     clientID,
 		ClientSecret: clientSecret,

internal/httpd/oidc.go

@@ -16,6 +16,7 @@ package httpd
 
 import (
 	"context"
+	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -202,9 +203,12 @@ type oidcPendingAuth struct {
 }
 
 func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
+	state := sha256.Sum256(util.GenerateRandomBytes(32))
+	nonce := util.GenerateUniqueID()
+
 	return oidcPendingAuth{
-		State:    xid.New().String(),
-		Nonce:    hex.EncodeToString(util.GenerateRandomBytes(20)),
+		State:    hex.EncodeToString(state[:]),
+		Nonce:    nonce,
 		Audience: audience,
 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),
 	}