State improvements #224
Merged
State improvements #224
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vdyalex
reviewed
Jan 28, 2018
| * Default separator is ';' (encoded %3B). | ||
| * In rare cases, this character might be forbidden or inconvenient to use by the issuer so it can be customized. | ||
| */ | ||
| public nonceStateSeparator = ';'; |
There was a problem hiding this comment.
It should be optional to the user. However, it needs a default value. Consider using nonceStateSeparator?= ';'
Author
There was a problem hiding this comment.
Thx @alexndreazevedo, good point. It is changed.
Author
|
@manfredsteyer Are there some chances to include those fixes soon? |
Owner
|
Thx! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the pull request two main changes are proposed:
State Separator
In the library, the semicolon character is always used as a separator between nonce and additional state.
There is a bug in the Microsoft Azure B2C web page, the state parameter cannot contain semicolon character (encoded %3B).
Step to reproduce:
Go to Uri:
https://login.microsoftonline.com/te/fabrikamb2c.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize?client_id=fdb91ff5-5ce6-41f3-bdbd-8267c817015d&redirect_uri=https%3a%2f%2flocalhost%3a44316%2f&response_mode=form_post&response_type=code+id_token&scope=openid+profile+offline_access+https%3a%2f%2ffabrikamb2c.onmicrosoft.com%2ftasks%2fread+https%3a%2f%2ffabrikamb2c.onmicrosoft.com%2ftasks%2fwrite&state=some%3BState&nonce=someNonce
Click „Sign Up now”
You should see an error page.
Although it seems to be a Microsoft’s bug, still it would nice to have a possibility to customize this separator. This special character was already problematic once: #61
Getting additional state value when an error occurs (oauth failed).
The additional state value is extracted only for successful flow.
Some SPA might be interested to get state value even when an error occurs (it depends of the business logic in the application). I’m proposing to do the state parsing few lines earlier.