Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

State parameter does not handle plus sign properly #875

Closed
backjo opened this issue Aug 26, 2022 · 1 comment
Closed

State parameter does not handle plus sign properly #875

backjo opened this issue Aug 26, 2022 · 1 comment
Assignees
@backjo
Labels
type: bug A general bug
Milestone
0.4.0-RC1

Comments

@backjo
Copy link
Contributor

backjo commented Aug 26, 2022
edited
Loading

Describe the bug
The state parameter applies incorrect URL encoding when a plus sign is present in the state query parameter.

Probably related to spring-projects/spring-framework/issues/21577

To Reproduce
Initiate a standard OAuth2 authorization code flow with a state query parameter containing a plus sign. When the redirect happens with the authorization code, the state query parameter sent will not match the state query parameter that was provided on the initial authorize call. Per specification, the state value in the response must be the 'exact value received from the client'
Expected behavior
Per the OAuth2 specification, the state value in the response must be the 'exact value received from the client'
Sample
Attempt to initiate an OAuth2 authorization code flow with state like below (examples provided with URL parameter encoded and not encoded

With state component encoded:

http://localhost:8080/oauth2/authorize?audience=foo&scope=openid&response_type=code&client_id=tkk78aDthMrMkpJEphYOd66i5GMkWxkv&redirect_uri=https://jwt.io/&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ%2B004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R%2BwCKSR1ltgUenX9eWDL%2FKA%3D%3D

Resulting redirect:
https://jwt.io/?code=oKLM7rW-I1dnF4t92sqUcGubxNHgJ36OBjknkUyl5YogkMwEaIMDfuAi8MkBI-A3s3W4Gx4FvsrjJWLN7_5HIUMYVF7VN9t55A48nynqs3MMxXDJNZJV7YlLf7Zrn55K&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ+004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R+wCKSR1ltgUenX9eWDL/KA%3D%3D

Without state component encoded:

http://localhost:8080/oauth2/authorize?audience=foo&scope=openid&response_type=code&client_id=tkk78aDthMrMkpJEphYOd66i5GMkWxkv&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ+004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R+wCKSR1ltgUenX9eWDL/KA==&redirect_uri=https://jwt.io/

Resulting redirect:
https://jwt.io?code=izOXIFsvOEnA38FdxZLf66qx1G5EFFVENGwhbihuyRoq989kdfcQMk_bMWrypLyLJNenFGkGHTWTaC04NAwST3M2Lt04nSk6YAoRV-B341TVRVDbNR17I3NFXco5jY8L&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ%20004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R%20wCKSR1ltgUenX9eWDL/KA%3D%3D
@backjo backjo added the type: bug A general bug label Aug 26, 2022
@backjo backjo closed this as completed Aug 26, 2022
@backjo backjo reopened this Aug 26, 2022
@backjo backjo mentioned this issue Aug 26, 2022
Closed
@jgrandja
Copy link
Collaborator

Closing as per comment

@jgrandja jgrandja self-assigned this Sep 13, 2022
@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Sep 13, 2022
@backjo backjo mentioned this issue Oct 5, 2022
Closed
@jgrandja jgrandja reopened this Oct 5, 2022
@jgrandja jgrandja added type: bug A general bug and removed status: invalid An issue that we don't feel is valid labels Oct 5, 2022
@jgrandja jgrandja assigned backjo and unassigned jgrandja Oct 5, 2022
@jgrandja jgrandja added this to the 0.4.0-RC1 milestone Oct 5, 2022
jgrandja pushed a commit that referenced this issue Oct 31, 2022
@backjo @jgrandja
Fix URL encoding for authorization request state parameter
356d669 
Closes gh-875
@andreasf andreasf mentioned this issue Dec 16, 2022
Closed
doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@backjo @jgrandja
Fix URL encoding for authorization request state parameter
18236f5 
Closes spring-projectsgh-875
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@backjo backjo

Labels
type: bug A general bug
Projects
None yet
Milestone
0.4.0-RC1
2 participants
@backjo @jgrandja