Some OAuth2 server doesn't correctly parse url and broke query parameters of the result redirect url.

For example:
Currently generated url:
https://local.host/redirect_page?plugin=my_plugin

Expected generated url:
https://local.host/redirect_page

Currently received request from OAuth2 server:
https://local.host/redirect_page?plugin=my_plugin?code=....

Expected received request from OAuth2 server:
https://local.host/redirect_page?code=....

CommentFileSizeAuthor
#2 3024416-02.patch4.19 KBvoleger

Comments

voleger created an issue. See original summary.

voleger’s picture

voleger
he/his
Primary language Ukrainian
Location Ukraine, Rivne
commented
Assigned: voleger » jaypan
Priority: Normal » Major
Status: Needs work » Needs review
StatusFileSize
new 3024416-02.patch4.19 KB

Here the patch that removes adding query string. Also, adapted testing form to the new routes.

dashohoxha’s picture

dashohoxha commented

I have not been able to participate in the recent discussion and development because I cannot test the 8.x branches. But I think that you are doing fine.

However this issue is conceptual. I don't see anything wrong with query parameters as long as the server has no problem with them. The example that you have presented seems Ok to me. I am not sure, but I think that the OAuth2 standard allows this thing (sending query parameters to the server). If the standard allows it, then it is Ok.

  • voleger authored cdd09f3 on 8.x-2.x 
    Issue #3024416 by voleger: Redirect URL should not contain query...
jaypan’s picture

jaypan
Location Victoria, BC
commented

The problem wasn't in allowing fragments, it was in forcing a specific fragment. I was coming at it from the wrong direction, Volergar's patch is a definite improvement. It's been applied, and a 8.x-2.0-beta3 has been released.

jaypan’s picture

jaypan
Location Victoria, BC
commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.