Just wanted to note the patch/fix is now merged. Thank you David!
On Friday, January 24, 2020 at 1:06:47 PM UTC+4, David Albrecht wrote: > > Hi all, > > when using the implict grant and passing a state parameter which contains > special characters the state parameter in the returned redirect doesn't > match. > > Example: > > > https://localhost:25443/ffauth/oauth2.0/authorize?response_type=token&client_id=swagger&redirect_uri=http%3A%2F%2Flocalhost%3A24080%2Fffwebservices%2Fswagger%2Foauth2-redirect.html&scope=write%20read&state=RnJpIEphbiAyNCAyMDIwIDA5OjQ4OjM3IEdNVCswMTAwIChNaXR0ZWxldXJvcMOkaXNjaGUgTm9ybWFsemVpdCk%3D > > leads to a redirect to: > > > http://localhost:24080/ffwebservices/swagger/oauth2-redirect.html#access_token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJbjAuLml6NjUycnV5LV9IRXN4RTBNckRudEEuWUFmNThMN2FjanM5cExoVVpjR1hma3pYc1lrSnpFUkQtSmp6V0VyTDNMUW0tSEdVZV9Pa3FESEhnalRySVMweDhoRkhQb2JCQy12RGJnWWlxT2wyUTJONGNVMTZ3bEJCcjlMUEg3Qjk4MUUzQ1ltN0Vlb2pCa2N3VjlwZ3J3TDIwVndnc0xIbmNFc1VPZV9ic1NidnRURVM3RElxVWJfbjVUUk1OYy01TmROTGRjd2Z1V3VGNTRkcXpCMGQ3R3ZieTNqdXZJNEkwMHNpOTEyMGRoNGRsU1hxMEdDV0VwOWE3cWVaTnZSa1hWYlRrcFZHaFRNbUFBOXBkT2k2dWlrb3ZfSFNwYVRKczBkMnN3REN5ejhzVk4xUEJfamRDU3dla0dxanR5WkxZcTdnNktGMEtIZGFlakZhTzVfdk9rNkYyODNBQ2RHcmVhSjBXNjhJc2dhQkYwVUhHMUNXYzdlNDB3LTEzQk1ZTW9SazhOLVoxR092TTVreTN5elJLUnZ1OTRXelFXd0dsYl9aWmNYLW11Wldsd0JyNVFUaTItZlpDeUVFNXZuMG9zcy5jQ0xnMkYwUGdMOC1ENHl0V091djNn.n2rpw9_bXKx78LdxjSyET6xCkN5je9q-KJD_M_llMmOaDH5XZzpKTIl1cLzjz-5Ewg6WQYvM1oufkLMPeZSOKg&token_type=bearer&expires_in=86400&state=RnJpIEphbiAyNCAyMDIwIDA5OjQ4OjM3IEdNVCswMTAwIChNaXR0ZWxldXJvcMOkaXNjaGUgTm9ybWFsemVpdCk%253D > > > As you can see the '%' is returned URL encoded as '%25'. This leads to > errors like: > > *auth warning*Authorization may be unsafe, passed state was changed in > server Passed state wasn't returned from auth server. > > In addition it seems to violate > https://tools.ietf.org/html/rfc6749#section-4.2.1 > > Regards > David > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b112418-2107-4473-aaf3-fa49b6113406%40apereo.org.
