Reimplement UI injection (#236)

custom_components/auth_oidc/tools/oidc_client.py

@@ -289,9 +289,6 @@ class OIDCDiscoveryClient:
 class OIDCClient:
     """OIDC Client implementation for Python, including PKCE."""
 
-    # Flows stores the state, code_verifier and nonce of all current flows.
-    flows = {}
-
     # HTTP session to be used
     http_session: aiohttp.ClientSession = None
 
@@ -312,6 +309,9 @@ class OIDCClient:
         self.client_id = client_id
         self.scope = scope
 
+        # Stores code_verifier and nonce for active authorization flows.
+        self.flows: dict[str, dict[str, str]] = {}
+
         # Optional parameters
         self.client_secret = kwargs.get("client_secret")
 
@@ -544,7 +544,9 @@ class OIDCClient:
             _LOGGER.warning("JWT verification failed: %s", e)
             return None
 
-    async def async_get_authorization_url(self, redirect_uri: str) -> Optional[str]:
+    async def async_get_authorization_url(
+        self, redirect_uri: str, state: str
+    ) -> Optional[str]:
         """Generates the authorization URL for the OIDC flow."""
         try:
             discovery_document = await self._fetch_discovery_document()
@@ -552,7 +554,6 @@ class OIDCClient:
 
             # Generate random nonce & state
             nonce = self._generate_random_url_string()
-            state = self._generate_random_url_string()
 
             # Generate PKCE (RFC 7636) parameters
             code_verifier = self._generate_random_url_string(32)
@@ -644,11 +645,10 @@ class OIDCClient:
         """Completes the OIDC token flow to obtain a user's details."""
 
         try:
-            if state not in self.flows:
+            flow = self.flows.pop(state, None)
+            if flow is None:
                 raise OIDCStateInvalid
 
-            flow = self.flows[state]
-
             discovery_document = await self._fetch_discovery_document()
             token_endpoint = discovery_document["token_endpoint"]