1 Reply Latest reply on Apr 19, 2016 3:40 PM by gozer

    oAuth 2.0 - the state query parameter comes back unescaped




      We've recently implemented an oAuth login strategy for a client to allow their user to login to their website using their username and password from an existing Jive community, based on the available document (OAuth 2.0 ) using an Authorization Code Grant scenario.


      It all works very well using the standard workflow but we did notice a small bug:


      As part of the oAuth workflow, it is possible (and recommended) to send a state attribute across that the auth server sends back as a query string parameter.


      We've noticed that the state comes back as an unescaped query parameter.


      In most cases it works fine, eg. if the state is alphanumeric but it breaks if the state contains certain characters that should have been escaped.


      For example, if the state is VeiGtjY7AAMwqk2+KcBMOByknSiJhDhX, and the + comes back unescaped in the url, it suddenly means a space and fails the validation coming back to the oAuth client website.


      Hope this helps.


      Let us know if you need additional infos.