Double URI encoding on additionnalState
See original GitHub issueHi,
I’m working on a multi tenant application and I send the tenant value through the additionnalState param of the initImplicitFlow() function.
Example :
this.oauthService.initImplicitFlow('tenant=test');
The url generated for the redirection looks like : https:…&state=…%3Btenant%253Dtest&…
It’s like the ‘=’ is encoded twice : encodeURIComponent(encodeURIComponent('tenant=test'))
Clue By looking at the code, I found that the additionnalState is encoded at line 1378 and 1415 of createLoginUrl() in OAuthService.ts
state = nonce + this.config.nonceStateSeparator + encodeURIComponent(state);
let url =
that.loginUrl +
seperationChar +
'response_type=' +
encodeURIComponent(that.responseType) +
'&client_id=' +
encodeURIComponent(that.clientId) +
'&state=' +
encodeURIComponent(state) +
'&redirect_uri=' +
encodeURIComponent(redirectUri) +
'&scope=' +
encodeURIComponent(scope);
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top Results From Across the Web
Double URL Encoding | Imperva
SecureSphere has detected an HTTP request that has at least one double URL encoded character in it. Detailed Description. UTF-8 is a popular...
Read more >Double Encoding | OWASP Foundation
This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior ......
Read more >How to avoid double encoding URI - Stack Overflow
Generally you should be doing encoding at a single point in your code. In memory, all your strings should generally NOT be URI-escaped....
Read more >PI25813: Fix double-encoding of "state" parameter in OAuth flow
The client expects this parameter to be encoded only once. Problem conclusion. An additional layer of URL encoding on the "state" parameter after...
Read more >URL-Encoding of "twice" - Online
About. (*) These options cannot be enabled simultaneously since the resulting output would not be valid for the majority of applications.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hello, yes very strange. I double check and I do not encode the state before calling
initImplicitFlow()
. I upgraded to the latest version and I got the same issue, so I’ve downgraded to the version 8.0.2 and now it’s working. Looking at the code of version8.0.2
, the state is already encoded on line https://github.com/manfredsteyer/angular-oauth2-oidc/blob/a1652dc58e38377ce1e352feafb9656136e98fa0/projects/lib/src/oauth-service.ts#L1225I’ll create a minimal repo when I have more time.
I believe v12 has a couple of changes also around this. Since the issue slowed down quite a bit I’m gonna close. Please open a fresh issue with a reproducible scenario for v12 if it persists.