- changed status to open
Handle query component in original redirect_uri
Reported by email to support, submitter details stripped for confidentiality:
Hi All
We are using the oauth2-oidc-sdk library version 4.14.1.
We have a client having the following redirect uri registered:
https://example.com/myservice/?action=oidccallback
We use the class AuthenticationSuccessResponse to respond to the client.
Example code:
AuthenticationSuccessResponse res = new AuthenticationSuccessResponse(authReq.getRedirectionURI(), code, null, null, authReq.getState(), null, null);
ServletUtils.applyHTTPResponse(res.toHTTPResponse(), response);
In this context the method AuthorizationResponse. toURI() will be called and does the following:
StringBuilder sb = new StringBuilder(getRedirectionURI().toString());
if (rm.equals(ResponseMode.QUERY)) { sb.append('?'); } else if (rm.equals(ResponseMode.FRAGMENT)) { sb.append('#'); } else { throw new SerializeException("The (implied) response mode must be query or fragment"); }
The result now is the following Response having 2 question marks:
We believe that it is allowed to have a redirect-uri having query parameters. If this is true, we assume that the class above has a bug.
Comments (3)
-
reporter -
reporter - changed status to resolved
Fixed in commit 54efac9.
-
reporter Issue
#145was marked as a duplicate of this issue. - Log in to comment