Getting error "state not found"

[phxgbl]

I tried example https://github.com/coreos/go-oidc/tree/v3/example/idtoken using dex as the provider.

clientID = "example-app" clientSecret = "ZXhhbXBsZS1hcHAtc2VjcmV0" issuerURL = "http://127.0.0.1:5556/dex"
this is the redirect URL generated : http://127.0.0.1:5556/dex/auth/local/login?back=/dex/auth?client_id=example-app&nonce=y33hX8FTJqMLTiioSqBpCg&redirect_uri=http%3A%2F%2F127.0.0.1%3A3000%2Fauth%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email&state=fL-QEKXmJq5SlP5pwM8YMA&state=i2tdp55gib7izeo7klb2mvjt2

Login using dex static password was successful and redirected back to the client app http://127.0.0.1:3000/auth/oidc/callback?code=xvzekwrtacz5lq7vsbhaoqk3t&state=fL-QEKXmJq5SlP5pwM8YMA with a different state.
before redirect the client app sets Cookie 'state' using function
setCallbackCookie(w, r, "state", state), setCallbackCookie(w, r, "nonce", nonce)
And in callback handler tries to retrieve the same using

state, err := r.Cookie("state") if err != nil { http.Error(w, "state not found", http.StatusBadRequest) return }
but the state gives null. ie, cookie not sent by the browser. any idea?

[phxgbl]

sorry .. my mistake. I used localhost instead of 127.0.0.1. So cookie wasn't set since different domain. once URL was changed to http://127.0.0.1:3000 everything worked as expected.

[ericchiang]

We could also check the host header and send an error on mismatch, if you'd like to send a PR :)

if r.Host != "127.0.0.1:5556" {
    http.Error(...)
    return
}

[phxgbl]

@ericchiang please check this PR