Skip to content

LocalServerReceiver corrupts authorization code #1128

New issue
New issue
Open
Open
LocalServerReceiver corrupts authorization code#1128
Labels
priority: p4type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@LionelOnTech

Description

@LionelOnTech
LionelOnTech
opened on Nov 27, 2024

google-oauth-java-client's LocalServerReceiver corrupts authorization code if the code contains encoded = sign (%3D).

Environment details

  1. OS type and version: any
  2. Java version: 17
  3. google-oauth-client-jetty-1.36.0.jar

Steps to reproduce

  1. Run PKCESample.java against any OAuth server
  2. If the authorization code returned from the server contains %3D, this is removed and POST for token fails. For example, if the OAuth server opened: http://localhost:8089/Callback?code=AgAg...pRfrigVQHIyP4erQ%3D
  3. When getQuery is called, the %3D is decoded to =.
  4. When queryToMap is called, the split("=") is called, and the = at the end of the code is removed, thus corrupting the authorization code.

Any additional information below

Issue is on google-oauth-java-client's LocalServerReceiver line 282.

getRawQuery() should be used instead. Then decoded after queryToMap call.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: p4type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions