Check state earlier

samuelwei · samuelwei · commit c456cdae6630 · 2025-07-01T21:20:42.000+02:00
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -385,6 +385,16 @@ public function authenticate(): bool
         if (isset($_REQUEST['code'])) {
 
             $code = $_REQUEST['code'];
+
+            // Do an OpenID Connect session check
+            if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
+                throw new OpenIDConnectClientException('Unable to determine state');
+            }
+
+            // Cleanup state
+            $this->unsetState();
+
+            // Request token from the server using the code
             $token_json = $this->requestTokens($code);
 
             // Throw an error if the server returns one
@@ -395,14 +405,6 @@ public function authenticate(): bool
                 throw new OpenIDConnectClientException('Got response: ' . $token_json->error);
             }
 
-            // Do an OpenID Connect session check
-            if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
-                throw new OpenIDConnectClientException('Unable to determine state');
-            }
-
-            // Cleanup state
-            $this->unsetState();
-
             if (!property_exists($token_json, 'id_token')) {
                 throw new OpenIDConnectClientException('User did not authorize openid scope.');
             }
