You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To Reproduce
Initiate a standard OAuth2 authorization code flow with a state query parameter containing a plus sign. When the redirect happens with the authorization code, the state query parameter sent will not match the state query parameter that was provided on the initial authorize call. Per specification, the state value in the response must be the 'exact value received from the client' Expected behavior
Per the OAuth2 specification, the state value in the response must be the 'exact value received from the client' Sample
Attempt to initiate an OAuth2 authorization code flow with state like below (examples provided with URL parameter encoded and not encoded
Describe the bug
The state parameter applies incorrect URL encoding when a plus sign is present in the state query parameter.
Probably related to spring-projects/spring-framework/issues/21577
To Reproduce
Initiate a standard OAuth2 authorization code flow with a state query parameter containing a plus sign. When the redirect happens with the authorization code, the state query parameter sent will not match the state query parameter that was provided on the initial authorize call. Per specification, the state value in the response must be the 'exact value received from the client'
Expected behavior
Per the OAuth2 specification, the state value in the response must be the 'exact value received from the client'
Sample
Attempt to initiate an OAuth2 authorization code flow with state like below (examples provided with URL parameter encoded and not encoded
With state component encoded:
Without state component encoded:
The text was updated successfully, but these errors were encountered: