Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth State mismatch. URL Double Encoding #1005

Closed
kucjac opened this issue Aug 23, 2018 · 3 comments
Closed

Auth State mismatch. URL Double Encoding #1005

kucjac opened this issue Aug 23, 2018 · 3 comments
Milestone
unplanned

Comments

@kucjac
Copy link

kucjac commented Aug 23, 2018

Hi
We're using your full stack with latest versions. (hydra version: 'v1.0.0-beta.8')
On the front end we're using Nuxt.js with Nuxt-Auth authorization library.
Nuxt-Auth parses the state base64 encoded.
While pushing the state to hydra auth endpoint, the state is encoded two times.

Example:
Nuxt sends the state: MC45MTYzODAxNjA3Mjc0MTY=
It comes back from hydra after correct login in a form: MC45MTYzODAxNjA3Mjc0MTY%253D

It looks like the initial value is being url.QueryEncoded into MC45MTYzODAxNjA3Mjc0MTY%3D and then again the '%' sign is being encoded into the form provided above.

The consent app is a simple golang consent using your newest sdk, and on our backend we don't change the state value.

It crashes the auth flow when the state ends up with '='.
@aeneasr aeneasr added the bug Something is not working. label Aug 23, 2018
@aeneasr aeneasr modified the milestones: v1.0.0-rc.1, unplanned Aug 23, 2018
@aeneasr
Copy link
Member

aeneasr commented Aug 23, 2018

Looks like a bug, although = isn't url safe it probably shouldn't be double encoded. It's also allowed per spec in the state iirc.

@aeneasr aeneasr modified the milestones: unplanned, v1.0.0-rc.1 Aug 23, 2018
@aeneasr
Copy link
Member

aeneasr commented Aug 25, 2018
edited
Loading

Actually, I can not reproduce this. I tried it with &state=rflvvkpeldfzfdzyoocqihxh%3D%3D and &state=rflvvkpeldfzfdzyoocqihxh== in the browser url. The first time the state comes back with &state=rflvvkpeldfzfdzyoocqihxh%3D%3D and also the second time &state=rflvvkpeldfzfdzyoocqihxh%3D%3D. I also checked the code and there is no double encoding. Are you sure this isn't on your side (client code)?

@aeneasr aeneasr added investigate and removed bug Something is not working. labels Aug 25, 2018
@aeneasr aeneasr modified the milestones: v1.0.0-rc.1, v1.0.0, unplanned Aug 25, 2018
@aeneasr
Copy link
Member

aeneasr commented Aug 26, 2018

Closing, feel free to comment/reopen you found the issue

@aeneasr aeneasr closed this as completed Aug 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
unplanned
Development

No branches or pull requests
2 participants
@aeneasr @kucjac