-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use encodeURIComponent for state in getAuthorizationUri #289
Comments
The state should not be user input, it should be created and used by the app only |
Yes, agree. I did not express myself correctly in the previous message. With There is no protection against a developer using characters in the state string (e.g. a base64 string), that need to be encoded when used as query parameter in the url. Also it is not documented, that the state needs to be encoded before handing it over to this function. |
hello @julesair thank you for presenting this to us. I have filed a ticket for our team to look into making this change. |
Link to PR: #288
Use case: when using a base64 encoded string, the value read from the location path when the user is redirected is not always the same as the one given to
getAuthorizationUri
.Like the redirectUri, the state is an user input and as such not safe to be used in an url without escaping certain characters
Can we use
encodeURIComponent
on the state parameter?The text was updated successfully, but these errors were encountered: