Automattic · ashfame · Sep 23, 2022 · Sep 21, 2022 · Sep 21, 2022 · Sep 21, 2022
diff --git a/src/Http/Handlers/AuthorizeHandler.php b/src/Http/Handlers/AuthorizeHandler.php
@@ -22,6 +22,13 @@ public function __construct( OAuth2Server $server, ConsentStorage $consent_stora
 	}
 
 	public function handle( Request $request, Response $response ): Response {
+		// Our dependency bshaffer's OAuth library currently has a bug where it doesn't pick up nonce correctly if it's a POST request to the Authorize endpoint.
+		// Fix has been contributed upstream (https://github.com/bshaffer/oauth2-server-php/pull/1032) but it doesn't look it would be merged anytime soon based on recent activity.
+		// Hence, as a temporary fix, we are copying over the nonce from parsed $_POST values to parsed $_GET values in $request object here.
+		if ( isset( $request->request['nonce'] ) && ! isset( $request->query['nonce'] ) ) {
+			$request->query['nonce'] = $request->request['nonce'];
+		}
+
 		if ( ! $this->server->validateAuthorizeRequest( $request, $response ) ) {
 			return $response;
 		}