Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LocalServerReceiver corrupts authorization code #1128

Open
LionelOnTech opened this issue Nov 27, 2024 · 0 comments
Open

LocalServerReceiver corrupts authorization code #1128

LionelOnTech opened this issue Nov 27, 2024 · 0 comments

Comments

@LionelOnTech
Copy link

LionelOnTech commented Nov 27, 2024
edited
Loading

google-oauth-java-client's LocalServerReceiver corrupts authorization code if the code contains encoded = sign (%3D).

Environment details

  1. OS type and version: any
  2. Java version: 17
  3. google-oauth-client-jetty-1.36.0.jar

Steps to reproduce

  1. Run PKCESample.java against any OAuth server
  2. If the authorization code returned from the server contains %3D, this is removed and POST for token fails. For example, if the OAuth server opened: http://localhost:8089/Callback?code=AgAg...pRfrigVQHIyP4erQ%3D
  3. When getQuery is called, the %3D is decoded to =.
  4. When queryToMap is called, the split("=") is called, and the = at the end of the code is removed, thus corrupting the authorization code.

Any additional information below

Issue is on google-oauth-java-client's LocalServerReceiver line 282.

getRawQuery() should be used instead. Then decoded after queryToMap call.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LionelOnTech