canvas.rb in omniauth-canvas-1.0.1

- old
+ new

@@ -1,18 +1,21 @@
 require "omniauth-oauth2"
 
 module OmniAuth
   module Strategies
     class Canvas < OmniAuth::Strategies::OAuth2
+
       option :name, "canvas"
 
       option :client_options,
              site:          "https://canvas.instructure.com",
              authorize_url: "/login/oauth2/auth",
              token_url:     "/login/oauth2/token"
 
-      option :provider_ignores_state, false
+      # Canvas does use state but we want to control it rather than letting
+      # omniauth-oauth2 handle it.
+      option :provider_ignores_state, true
 
       option :token_params,
              parse: :json
 
       uid do
@@ -44,21 +47,23 @@
       # so we set the value to empty string
       def query_string
         ""
       end
 
-      # Override authorize_params so that we can be deliberate about setting state if needed
+      # Override authorize_params so that we can be deliberate about the value for state
+      # and not use the session which is unavailable inside of an iframe for some
+      # browsers (ie Safari)
       def authorize_params
         # Only set state if it hasn't already been set
         options.authorize_params[:state] ||= SecureRandom.hex(24)
         params = options.authorize_params.merge(options_for("authorize"))
         if OmniAuth.config.test_mode
           @env ||= {}
           @env["rack.session"] ||= {}
         end
-        session["omniauth.state"] = params[:state]
         params
       end
+
     end
   end
 end
 
 OmniAuth.config.add_camelization "canvas", "Canvas"