[CAS 6.1.3]: OAuth2 Implict Grant - Passed state isn't returned correctly

[David Albrecht]

Hi all,

when using the implict grant and passing a state parameter which contains special characters the state parameter in the returned redirect doesn't match.

Example:

https://localhost:25443/ffauth/oauth2.0/authorize?response_type=token&client_id=swagger&redirect_uri=http%3A%2F%2Flocalhost%3A24080%2Fffwebservices%2Fswagger%2Foauth2-redirect.html&scope=write%20read&state=RnJpIEphbiAyNCAyMDIwIDA5OjQ4OjM3IEdNVCswMTAwIChNaXR0ZWxldXJvcMOkaXNjaGUgTm9ybWFsemVpdCk%3D

leads to a redirect to:

http://localhost:24080/ffwebservices/swagger/oauth2-redirect.html#access_token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJbjAuLml6NjUycnV5LV9IRXN4RTBNckRudEEuWUFmNThMN2FjanM5cExoVVpjR1hma3pYc1lrSnpFUkQtSmp6V0VyTDNMUW0tSEdVZV9Pa3FESEhnalRySVMweDhoRkhQb2JCQy12RGJnWWlxT2wyUTJONGNVMTZ3bEJCcjlMUEg3Qjk4MUUzQ1ltN0Vlb2pCa2N3VjlwZ3J3TDIwVndnc0xIbmNFc1VPZV9ic1NidnRURVM3RElxVWJfbjVUUk1OYy01TmROTGRjd2Z1V3VGNTRkcXpCMGQ3R3ZieTNqdXZJNEkwMHNpOTEyMGRoNGRsU1hxMEdDV0VwOWE3cWVaTnZSa1hWYlRrcFZHaFRNbUFBOXBkT2k2dWlrb3ZfSFNwYVRKczBkMnN3REN5ejhzVk4xUEJfamRDU3dla0dxanR5WkxZcTdnNktGMEtIZGFlakZhTzVfdk9rNkYyODNBQ2RHcmVhSjBXNjhJc2dhQkYwVUhHMUNXYzdlNDB3LTEzQk1ZTW9SazhOLVoxR092TTVreTN5elJLUnZ1OTRXelFXd0dsYl9aWmNYLW11Wldsd0JyNVFUaTItZlpDeUVFNXZuMG9zcy5jQ0xnMkYwUGdMOC1ENHl0V091djNn.n2rpw9_bXKx78LdxjSyET6xCkN5je9q-KJD_M_llMmOaDH5XZzpKTIl1cLzjz-5Ewg6WQYvM1oufkLMPeZSOKg&token_type=bearer&expires_in=86400&state=RnJpIEphbiAyNCAyMDIwIDA5OjQ4OjM3IEdNVCswMTAwIChNaXR0ZWxldXJvcMOkaXNjaGUgTm9ybWFsemVpdCk%253D

As you can see the '%' is returned URL encoded as '%25'. This leads to errors like:

auth warningAuthorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server.

In addition it seems to violate https://tools.ietf.org/html/rfc6749#section-4.2.1

Regards

David

[Misagh Moayyed]

Just wanted to note the patch/fix is now merged.

Thank you David!