Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope value double-escaping? #1201

Closed
ngrigoriev opened this issue Dec 5, 2018 · 3 comments
Closed

Scope value double-escaping? #1201

ngrigoriev opened this issue Dec 5, 2018 · 3 comments
Labels
bug Something is not working.
Milestone
v1.0.0

Comments

@ngrigoriev
Copy link

Scope value containing "*" character appears to be escaped twice in the resulting URL fragment

I am using the scope "api:*" (just for testing). I have noticed that I get it back as "api%3A%2A" in my client that un-escapes the values from the fragment string.

To Reproduce
Steps to reproduce the behavior:

  1. Set up Hydra as per documentation
  2. Create a client with implicit grant support (I use "docker exec -it docker ps -f name=hydra_hydra_1 -q hydra clients create --endpoint http://localhost:4445 --id client3 --secret secret3 -g implicit --scope api:* -c http://app-call-back/ -r token")
  3. Use the original hydra-login-consent-node example as login/consent provider.
  4. Try to perform the authorization (I used Postman). The resulting scope is shown as "api:%3A%2A". I use JWT token and in that token the value is correct, i.e. "api:". Also the value is shown correctly as "api:" in the sample UI.
  5. Use tcpdump or another method of capturing the traffic. I wanted to see the final Location value sent by Hydra. I observed "...&expires_in=3600&scope=api%253A%252A&state=...". So it appears that at least the scope value has been escaped twice.

Expected behavior
I would exepect the value to be "api:*" and the value on the wire to be "&expires_in=3600&scope=api%3A%2A&state="

Protocol dump

GET /oauth2/auth?response_type=token&state=242vvcfsddsfrer&client_id=client3&scope=api%3A*&redirect_uri=http%3A%2F%2Fapp-call-back%2F HTTP/1.1
Host: localhost:4444
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Postman/6.5.3 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: _csrf=Mrt7oJzMQbLVtlEHAJoQWS0F; oauth2_authentication_csrf=MTU0NDA0NTI2N3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGRqT0RkaFpURmpZemhoTlRSallUQmhPRFkwTUdVNE5ETTNaVEV5WW1OaHyf9wqKXVZq2q6QQPhVgWkTFOZb_nob7AhvZTwYt755RA==; oauth2_consent_csrf=MTU0NDA0NTI3OXxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR1k1WWpoa1pEUTFaVE5oWmpRd1lXWmhORGM1WlRneE9XUTJNelkxTldZMHzDEn8pwFJsFakxWzdSnKsj4vSkspiERGb1jQKoLgHnxw==
...
...
...
GET /oauth2/auth?client_id=client3&consent_verifier=a9f635d1cbe04b288707480b459a525f&redirect_uri=http%3A%2F%2Fapp-call-back%2F&response_type=token&scope=api%3A%2A&state=242vvcfsddsfrer HTTP/1.1
Host: localhost:4444
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Postman/6.5.3 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:3000/consent?consent_challenge=0e3da6a5b2234ab2b2ed5d87831b05b0
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: _csrf=Mrt7oJzMQbLVtlEHAJoQWS0F; oauth2_authentication_csrf=MTU0NDA0NTM4MXxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJREZtWVRnNVl6SmtOV0l3WXpSa1lXVmhPRFZpTUdFMk1URTFaRGs0TjJSaXwN9R3lOKb3bJaEreqa8y3ph8jtZmjp7RfTUejZ0pyTag==; oauth2_consent_csrf=MTU0NDA0NTM4OHxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRE01WXpBNU9EY3paVEE0WVRSbE9UUTVNV1ZqWkRBM1kySTJZakEwTWpGanySM8BwPsMh5X0oouWjLhS4Tj1ijF2kxRPCIoxhpA20iw==
r#cb
r#cb
HTTP/1.1 302 Found
Location: http://app-call-back/#access_token=eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo2YTMxODQ2Zi1lMDAxLTQ3NmUtODZjNi1jYTE5MmQwY2I4MjEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJjbGllbnQzIiwiZXhwIjoxNTQ0MDQ4OTkyLCJleHQiOnt9LCJpYXQiOjE1NDQwNDUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDQ0NC8iLCJqdGkiOiI0MjI4NjRkNS01YmY2LTRmY2EtOWQwNi0xNGY1M2Q2MmM3NWUiLCJuYmYiOjE1NDQwNDUzOTEsInNjcCI6WyJhcGk6KiJdLCJzdWIiOiJmb29AYmFyLmNvbSJ9.PRs_xpTaaFX2rCZ0HaRknoAgxBw2JD2qWufopl6_w5GddAhhYIpMTxJCPRe0JHmNqwbWidre8JEcIgURhX8gouG1VUxwG6HNIx0FE6G_Aqvr0KYvcrLSqMWMoiBgFeST3GheAjL45wB_5e1a0B5zyMqaldaBpZFInU96qJ8b1E7uQstNPCG871osa4bLf8RAV9E3sE1_IBdzGVbXBJQRidDHx0Q8V4uTL_Zh1SJbvV_ltl4wJtuBgBWmxPWFSxMLh6TtCi_Iek6UrquqnzPKFVYD33MOi5VvQOiE9rJCI_eE1tJVsLwARZ7Or251y0D0sL04ANofIljc9dX9LoP9pwnDezlfQpdCMjPB9et6N4Urv9D0-6h3Gagd6AXGJHbwcFbimAbmtvcO3YClpD1gNvqBpCNlHemGH_jnSpoymRFaTr5ezw1z0N8vYf9lFFJjnoRgc9sj8o2fogOcxG2b0MeH169uV2JPblXe4Z53PQLuoCi5Zsaqe8UcQGufpJKsqAm_XIHHgapYbgLKaAqa3ewcEMG-VrOYMwIW4G7BAxSb9Ryw4bujWdh7_A6rFtVonPi7TSUD1GX7kr1tw4NdsRaKaobadTnIk31CiQTFXwu5x2LPalWXbg4OWvHjUFmeukeXfGi2wWNQeyMjo2XDcJiuwITgNevSnmv8N-0cbHU&expires_in=3600&scope=api%253A%252A&state=242vvcfsddsfrer&token_type=bearer
Date: Wed, 05 Dec 2018 21:29:51 GMT
Content-Length: 0

Version:

  • Environment: Docker
  • Version tags/v1.0.0-rc.2+oryOS.9
@aeneasr aeneasr added the bug Something is not working. label Dec 6, 2018
@aeneasr aeneasr added this to the v1.0.0-rc.3 milestone Dec 6, 2018
@aeneasr
Copy link
Member

aeneasr commented Dec 6, 2018

Would you mind creating a PR?

@aeneasr aeneasr modified the milestones: v1.0.0-rc.4, v1.0.0 Dec 13, 2018
@ngrigoriev
Copy link
Author

My lack of familiarity with Go makes a bit more difficult, but I have not given up yet :)

@ngrigoriev ngrigoriev mentioned this issue Dec 17, 2018
Closed
@ngrigoriev
Copy link
Author

I have narrowed it down to ory/fosite#345

@ngrigoriev ngrigoriev mentioned this issue Dec 17, 2018
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@ngrigoriev @aeneasr