Skip to content

State parameter does not handle plus sign properly #875

New issue
New issue
Closed
Closed
State parameter does not handle plus sign properly#875
Assignees
backjo
Labels
type: bugA general bug
Milestone
 
0.4.0-RC1
@backjo

Description

@backjo
backjo
opened on Aug 26, 2022

Describe the bug
The state parameter applies incorrect URL encoding when a plus sign is present in the state query parameter.

Probably related to spring-projects/spring-framework/issues/21577

To Reproduce
Initiate a standard OAuth2 authorization code flow with a state query parameter containing a plus sign. When the redirect happens with the authorization code, the state query parameter sent will not match the state query parameter that was provided on the initial authorize call. Per specification, the state value in the response must be the 'exact value received from the client'
Expected behavior
Per the OAuth2 specification, the state value in the response must be the 'exact value received from the client'
Sample
Attempt to initiate an OAuth2 authorization code flow with state like below (examples provided with URL parameter encoded and not encoded

With state component encoded:

http://localhost:8080/oauth2/authorize?audience=foo&scope=openid&response_type=code&client_id=tkk78aDthMrMkpJEphYOd66i5GMkWxkv&redirect_uri=https://jwt.io/&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ%2B004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R%2BwCKSR1ltgUenX9eWDL%2FKA%3D%3D

Resulting redirect:
https://jwt.io/?code=oKLM7rW-I1dnF4t92sqUcGubxNHgJ36OBjknkUyl5YogkMwEaIMDfuAi8MkBI-A3s3W4Gx4FvsrjJWLN7_5HIUMYVF7VN9t55A48nynqs3MMxXDJNZJV7YlLf7Zrn55K&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ+004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R+wCKSR1ltgUenX9eWDL/KA%3D%3D

Without state component encoded:

http://localhost:8080/oauth2/authorize?audience=foo&scope=openid&response_type=code&client_id=tkk78aDthMrMkpJEphYOd66i5GMkWxkv&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ+004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R+wCKSR1ltgUenX9eWDL/KA==&redirect_uri=https://jwt.io/

Resulting redirect:
https://jwt.io?code=izOXIFsvOEnA38FdxZLf66qx1G5EFFVENGwhbihuyRoq989kdfcQMk_bMWrypLyLJNenFGkGHTWTaC04NAwST3M2Lt04nSk6YAoRV-B341TVRVDbNR17I3NFXco5jY8L&state=awrD0fCnEcTUPFgmyy2SU89HZNcnAJ60ZW6l39YI0KyVjmIZ%20004pwm9j55li7BoydXYysH4enZMF21QFuVjThcHTL67sAj6ZPvmpQM6gao9wZQfRjXIyBYsBZ3N8H4R%20wCKSR1ltgUenX9eWDL/KA%3D%3D

Metadata

Metadata

Assignees

Labels

type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions