... flows even worst than my code.

2016-08-24 0:39 GMT+02:00 Aarón Bueno Villares <abv15...@gmail.com>:

> First of all, sorry for my English; specifically, right now; I'm tired and
> its a bit late here in Spain and my English flows even worst than my
> English.
>
> I was adding to a project of mine support for authentication using the
> GoogleService, and there was problems parsing the oauth callback url,
> specifically, when decoding the 'state' paremeter.
>
> As far as I've seen in the Wt sources, the wt url with the session id
> which is used as state parameter, is enconded in base64 with the sha1
> codification of the url itself as prefix, I assume to check integrity and
> avoid passing the url to an incorrect session, after Google resends it back.
>
> However, there was problems decoding that state paremeter returned by
> google. I received a "Auth.OAuthService: RedirectEndpoint: could not decode
> state" error.
>
> After checking step by step the values of the computation when decoding
> the state parameter, I realized that the state parameter received by google
> wasn't exactly the same as the one originally send.
>
> I think the problem is the following one:
>
>     (A) The sha1 codification of the url contains or provokes somehow a
> control character.
>
>     (B) Google changed that control character to its percent-encoding
> codification (the state parameter of the url of the pop-up windows showing
> the google authentication, contained %0D%0A, which corresponds to a new
> line symbol).
>
>     (C) For some reason, control characters (in my case, the %0D%0A
> "token") is removed from the url at some point of the Wt app.
>
>      (D) When recalculating the state parameter, after extrating the url
> from the received state parameter (in the decodeState funcion), it wasn't
> equal to the original one.
>
>       (E) The decodeState function returns an empty string.
>
> I've solved the problem inheriting from the class GoogleService (thanks
> good decodeState is a virtual function), to omit that check. I just decode
> the state parameter and return the contained url, which works fine, but I'm
> worry about the security problems the sha1 prefix (which I ignore now)
> tries to avoid.
>
> Best regards,
> Peregringlk.
>
>
>
------------------------------------------------------------------------------
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest

Reply via email to