- changed status to open
AuthorizationRequest.parse(final URI uri) incorrectly parses query parameters with encoded "="
Originally posted in JOSE+JWT bug tracker: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/149/authorizationrequestparse-final-uri-uri
Matt Randall created an issue 2 days ago
When invoking the parse method, a caller whose redirect URI includes query parameters (as allowed in section 3.1.2 of the OAuth 2.0 Framework 1) gets truncated. This is because java.net.URI 's .getQuery() method returns the string with all encoded characters decoded, including the equal sign. As a result, the split on "=" results in three strings, causing the query parameters inside a parameter to be truncated.
Instead, this method should use java.net.URI .getRawQuery() -- it appears this was what was intended, because later URLUtils.parseParameters(...) attempts to URLDecode the parameter values.
Attached is a unit test that shows .getRawQuery() is the appropriate method to invoke when passing a query string to URLUtils.parseParameters(). For demonstration, if you switch line 23 to uri.getQuery(), the test will fail.
Comments (3)
-
reporter -
reporter - changed status to resolved
Fixed in commit 3146da7, also for AuthorizationResponse, AuthenticationRequest and LogoutRequest URIs.
-
reporter Fix released as SDK v4.16.1:
http://search.maven.org/#artifactdetails|com.nimbusds|oauth2-oidc-sdk|4.16.1|jar
- Log in to comment