SECURITY: Always validate `state` parameter

config/locales/server.en.yml

@@ -14,5 +14,4 @@ en:
     oauth2_send_auth_header: "Send the token as an HTTP Authorization header"
     oauth2_debug_auth: "Include rich debugging information in your logs"
     oauth2_authorize_options: "When authorizing request these options"
-    oauth2_ignore_state: "Don't validate the state parameter. This will be removed shortly!"
 

config/settings.yml

@@ -14,7 +14,6 @@ login:
   oauth2_email_verified: false
   oauth2_send_auth_header: true
   oauth2_debug_auth: false
-  oauth2_ignore_state: true
   oauth2_authorize_options:
     default: 'scope'
     type: list

plugin.rb

@@ -29,7 +29,7 @@ class OAuth2BasicAuthenticator < ::Auth::OAuth2Authenticator
                         opts = env['omniauth.strategy'].options
                         opts[:client_id] = SiteSetting.oauth2_client_id
                         opts[:client_secret] = SiteSetting.oauth2_client_secret
-                        opts[:provider_ignores_state] = SiteSetting.oauth2_ignore_state
+                        opts[:provider_ignores_state] = false
                         opts[:client_options] = {
                           authorize_url: SiteSetting.oauth2_authorize_url,
                           token_url: SiteSetting.oauth2_token_url