Merge pull request #428 from rushilsrivastava/master

🐛 Clear state from session in OAuth2

authlib/integrations/django_client/apps.py

@@ -76,6 +76,7 @@ def authorize_access_token(self, request, **kwargs):
             }
 
         state_data = self.framework.get_state_data(request.session, params.get('state'))
+        self.framework.clear_state_data(request.session, params.get('state'))
         params = self._format_state_params(state_data, params)
         token = self.fetch_access_token(**params, **kwargs)
 

authlib/integrations/flask_client/apps.py

@@ -98,6 +98,7 @@ def authorize_access_token(self, **kwargs):
             }
 
         state_data = self.framework.get_state_data(session, params.get('state'))
+        self.framework.clear_state_data(session, params.get('state'))
         params = self._format_state_params(state_data, params)
         token = self.fetch_access_token(**params, **kwargs)
         self.token = token

authlib/integrations/starlette_client/apps.py

@@ -70,6 +70,7 @@ async def authorize_access_token(self, request, **kwargs):
             session = request.session
 
         state_data = await self.framework.get_state_data(session, params.get('state'))
+        await self.framework.clear_state_data(session, params.get('state'))
         params = self._format_state_params(state_data, params)
         token = await self.fetch_access_token(**params, **kwargs)