... flows even worst than my code. 2016-08-24 0:39 GMT+02:00 Aarón Bueno Villares <abv15...@gmail.com>:
> First of all, sorry for my English; specifically, right now; I'm tired and > its a bit late here in Spain and my English flows even worst than my > English. > > I was adding to a project of mine support for authentication using the > GoogleService, and there was problems parsing the oauth callback url, > specifically, when decoding the 'state' paremeter. > > As far as I've seen in the Wt sources, the wt url with the session id > which is used as state parameter, is enconded in base64 with the sha1 > codification of the url itself as prefix, I assume to check integrity and > avoid passing the url to an incorrect session, after Google resends it back. > > However, there was problems decoding that state paremeter returned by > google. I received a "Auth.OAuthService: RedirectEndpoint: could not decode > state" error. > > After checking step by step the values of the computation when decoding > the state parameter, I realized that the state parameter received by google > wasn't exactly the same as the one originally send. > > I think the problem is the following one: > > (A) The sha1 codification of the url contains or provokes somehow a > control character. > > (B) Google changed that control character to its percent-encoding > codification (the state parameter of the url of the pop-up windows showing > the google authentication, contained %0D%0A, which corresponds to a new > line symbol). > > (C) For some reason, control characters (in my case, the %0D%0A > "token") is removed from the url at some point of the Wt app. > > (D) When recalculating the state parameter, after extrating the url > from the received state parameter (in the decodeState funcion), it wasn't > equal to the original one. > > (E) The decodeState function returns an empty string. > > I've solved the problem inheriting from the class GoogleService (thanks > good decodeState is a virtual function), to omit that check. I just decode > the state parameter and return the contained url, which works fine, but I'm > worry about the security problems the sha1 prefix (which I ignore now) > tries to avoid. > > Best regards, > Peregringlk. > > >
------------------------------------------------------------------------------
_______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest
