jans icon indicating copy to clipboard operation
jans copied to clipboard
verified publisher icon JanssenProject

bug(jans-auth-server): extra encoding in custom parameters of authz requests

Open jgomer2001 opened this issue 3 years ago • 0 comments

Trying to send an authz request with a custom parameter that needs url-encoding generates a redirect slightly off. See customParam4 in the examples below.

Working (no encoding needed):

$ curl -i -k -G 'https://bull.co/jans-auth/restv1/authorize' -d scope=openid -d acr_values=agama -d response_type=code -d state=e6539455 -d client_id='1800.1fe95290-983e-488e-963a-8f728d77a702' --data-urlencode redirect_uri='https://bull.co/admin-ui' -d customParam4='hi'
HTTP/1.1 302 Found
...
Location: https://bull.co/jans-auth/authorize.htm?scope=openid&acr_values=agama&response_type=code&customParam4=hi&redirect_uri=https%3A%2F%2Fbull.co%2Fadmin-ui&state=e6539455&client_id=1800.1fe95290-983e-488e-963a-8f728d77a702

$ tail -f /var/log/apache2/other_vhosts_access.log
bull.co:443 10.54.250.1 - - [02/Aug/2022:19:10:48 +0000] "GET /jans-auth/restv1/authorize?scope=openid&acr_values=agama&response_type=code&state=e6539455&client_id=1800.1fe95290-983e-488e-963a-8f728d77a702&redirect_uri=https%3A%2F%2Fbull.co%2Fadmin-ui&customParam4=hi HTTP/1.1" 302 1982 "-" "curl/7.68.0"

Location header looks good above.

Buggy (when encoding needed):

$ curl -i -k -G 'https://bull.co/jans-auth/restv1/authorize' -d scope=openid -d acr_values=agama -d response_type=code -d state=e6539455 -d client_id='1800.1fe95290-983e-488e-963a-8f728d77a702' --data-urlencode redirect_uri='https://bull.co/admin-ui' --data-urlencode customParam4=' '
HTTP/1.1 302 Found
Server: Apache/2.4.54 (Debian)
...
Location: https://bull.co/jans-auth/authorize.htm?scope=openid&acr_values=agama&response_type=code&customParam4=%2520&redirect_uri=https%3A%2F%2Fbull.co%2Fadmin-ui&state=e6539455&client_id=1800.1fe95290-983e-488e-963a-8f728d77a702

$ tail -f /var/log/apache2/other_vhosts_access.log
bull.co:443 10.54.250.1 - - [02/Aug/2022:18:39:16 +0000] "GET /jans-auth/restv1/authorize?scope=openid&acr_values=agama&response_type=code&state=e6539455&client_id=1800.1fe95290-983e-488e-963a-8f728d77a702&redirect_uri=https%3A%2F%2Fbull.co%2Fadmin-ui&customParam4=%20 HTTP/1.1" 302 1985 "-" "curl/7.68.0"

Note apache receives (correctly) the whitespace as %20 but auth-server is sending %2520. Seems it tried to encode the % char whose hexa ascii is 25.

Expected behavior is Location: https://...&customParam4=%20&...

jgomer2001 avatar Aug 02 '22 19:08 jgomer2001