Scopes in Oauth2 redirect uri

[Joanne Ong]

Hi,

Our web server application (deployed in the AWS) use Google OAuth 2.0 endpoints to implement OAuth 2.0 authorization.

We ran into a problem during the user redirection step (after the user has approved the consent permission). So Google redirects the user back to our web app with this URL:

"https://DOMAIN.COM/auth_return/?code=SOME_CODE_RETURN&
scope=https://www.googleapis.com/auth/webmasters.readonly"

But this request does not reach our web application because AWS WAF is blocking it. This request does not pass the "GenericRFI_QUERYARGUMENTS" rule. This rule inspects the values of all query parameters and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like ://.
 

Unfortunately, it is these characters that are contained in the "scope" parameter of the request. Can we somehow tell Google that we don't need the "scope" parameter in the redirect uri or is there any way to go about this?

Thanks