First of all, sorry for my English; specifically, right now; I'm tired and its a bit late here in Spain and my English flows even worst than my English.
I was adding to a project of mine support for authentication using the GoogleService, and there was problems parsing the oauth callback url, specifically, when decoding the 'state' paremeter. As far as I've seen in the Wt sources, the wt url with the session id which is used as state parameter, is enconded in base64 with the sha1 codification of the url itself as prefix, I assume to check integrity and avoid passing the url to an incorrect session, after Google resends it back. However, there was problems decoding that state paremeter returned by google. I received a "Auth.OAuthService: RedirectEndpoint: could not decode state" error. After checking step by step the values of the computation when decoding the state parameter, I realized that the state parameter received by google wasn't exactly the same as the one originally send. I think the problem is the following one: (A) The sha1 codification of the url contains or provokes somehow a control character. (B) Google changed that control character to its percent-encoding codification (the state parameter of the url of the pop-up windows showing the google authentication, contained %0D%0A, which corresponds to a new line symbol). (C) For some reason, control characters (in my case, the %0D%0A "token") is removed from the url at some point of the Wt app. (D) When recalculating the state parameter, after extrating the url from the received state parameter (in the decodeState funcion), it wasn't equal to the original one. (E) The decodeState function returns an empty string. I've solved the problem inheriting from the class GoogleService (thanks good decodeState is a virtual function), to omit that check. I just decode the state parameter and return the contained url, which works fine, but I'm worry about the security problems the sha1 prefix (which I ignore now) tries to avoid. Best regards, Peregringlk.
------------------------------------------------------------------------------
_______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest