- changed status to invalid
AuthorizationRequest.parse(final URI uri) incorrectly parses query parameters with encoded "="
Issue #149
invalid
When invoking the parse method, a caller whose redirect URI includes query parameters (as allowed in section 3.1.2 of the OAuth 2.0 Framework 1) gets truncated. This is because java.net.URI 's .getQuery() method returns the string with all encoded characters decoded, including the equal sign. As a result, the split on "=" results in three strings, causing the query parameters inside a parameter to be truncated.
Instead, this method should use java.net.URI .getRawQuery() -- it appears this was what was intended, because later URLUtils.parseParameters(...) attempts to URLDecode the parameter values.
Attached is a unit test that shows .getRawQuery() is the appropriate method to invoke when passing a query string to URLUtils.parseParameters(). For demonstration, if you switch line 23 to uri.getQuery(), the test will fail.
Comments (1)
-
- Log in to comment
Hi Matt,
Thanks for reporting this problem. We moved the ticket to the appropriate bug tracker, this one is for the JOSE+JWT security library.
-> https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/147/authorizationrequestparse-final-uri-uri