Skip to content

OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice #9511

New issue
New issue
Closed
Closed
OidcClientInitiatedLogoutSuccessHandler url-encodes PostLogoutRedirectUri twice#9511
Assignees
jzheaux
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchesstatus: feedback-providedFeedback has been providedtype: bugA general bug
Milestone
5.6.0-M1
@hosea

Description

@hosea
hosea
opened on Mar 18, 2021

The OidcClientInitiatedLogoutSuccessHandler url-encodes the PostLogoutRedirectUri twice. This leads to corrupted URLs.

My used postLogoutRedirectUri is:
https://localhost:8443/loginselect?forwardUrl=secureduserinfo%3F0-1.-userinfo-sessioninvalidate

OidcClientInitiatedLogoutSuccessHandler adds this uri as queryparam "post_logout_redirect_uri" to the generated targetUrl. URL-encoding this uri as queryparam should lead to a queryparam like this:
...&post_logout_redirect_uri =https://localhost:8443/loginselect?forwardUrl%3Dsecureduserinfo%253F0-1.-userinfo-sessioninvalidate
But it is url-encoded twice:
...&post_logout_redirect_uri=https://localhost:8443/loginselect?forwardUrl%3Dsecureduserinfo%25253F0-1.-userinfo-sessioninvalidate
(%2525 instead of %25)

Version: spring-security-oauth2-client 5.4.5

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchesstatus: feedback-providedFeedback has been providedtype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions