Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Double URI encoding on additionnalState

See original GitHub issue

Hi,

I’m working on a multi tenant application and I send the tenant value through the additionnalState param of the initImplicitFlow() function.

Example :

this.oauthService.initImplicitFlow('tenant=test');

The url generated for the redirection looks like : https:…&state=…%3Btenant%253Dtest&… It’s like the ‘=’ is encoded twice : encodeURIComponent(encodeURIComponent('tenant=test'))

Clue By looking at the code, I found that the additionnalState is encoded at line 1378 and 1415 of createLoginUrl() in OAuthService.ts

state = nonce + this.config.nonceStateSeparator + encodeURIComponent(state);

 let url =
      that.loginUrl +
      seperationChar +
      'response_type=' +
      encodeURIComponent(that.responseType) +
      '&client_id=' +
      encodeURIComponent(that.clientId) +
      '&state=' +
      encodeURIComponent(state) +
      '&redirect_uri=' +
      encodeURIComponent(redirectUri) +
      '&scope=' +
      encodeURIComponent(scope);

Issue Analytics

State:
Created 3 years ago
Comments:8

Top GitHub Comments

2reactions

amortemousquecommented, Apr 8, 2020

Hello, yes very strange. I double check and I do not encode the state before calling initImplicitFlow(). I upgraded to the latest version and I got the same issue, so I’ve downgraded to the version 8.0.2 and now it’s working. Looking at the code of version 8.0.2, the state is already encoded on line https://github.com/manfredsteyer/angular-oauth2-oidc/blob/a1652dc58e38377ce1e352feafb9656136e98fa0/projects/lib/src/oauth-service.ts#L1225

I’ll create a minimal repo when I have more time.

0reactions

jeroenheijmanscommented, Jul 17, 2021

I believe v12 has a couple of changes also around this. Since the issue slowed down quite a bit I’m gonna close. Please open a fresh issue with a reproducible scenario for v12 if it persists.

Top Results From Across the Web

Double URL Encoding | Imperva

SecureSphere has detected an HTTP request that has at least one double URL encoded character in it. Detailed Description. UTF-8 is a popular...

Double Encoding | OWASP Foundation

This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior ......

How to avoid double encoding URI - Stack Overflow

Generally you should be doing encoding at a single point in your code. In memory, all your strings should generally NOT be URI-escaped....

PI25813: Fix double-encoding of "state" parameter in OAuth flow

The client expects this parameter to be encoded only once. Problem conclusion. An additional layer of URL encoding on the "state" parameter after...

URL-Encoding of "twice" - Online

About. (*) These options cannot be enabled simultaneously since the resulting output would not be valid for the majority of applications.