U2F redirect comes w/ semicolons #141
Comments
|
Is this new behavior? (staring with chrome95) or has it been like this for a while? |
|
Looks like this behavior started with the merge of https://go-review.googlesource.com/c/go/+/325697/ in go1.17. I rebuilt my container recently with the newer version of Go, so that's when it started for me. I have a Chromebook I haven't used in a while running 93.0.4577.107 and I was able to reproduce the issue. |
|
Rebuilt keymaster using golang:1.16 and am no longer having an issue. Rebuilding with go1.17 was the cause of the issue. |
|
There are actually 2 issues regarding this issue:
I was originally focused on 1 and is related to the way we use the temlplate/html code to generate our passed back parameters. I have ideas on this but is is not as simple for testing. I will work soonish on 2 so that at least we are much more correct, even is not user friendly. |
|
Tested and resolved. |
Fixes issue Cloud-Foundations#141 and should fix issue Cloud-Foundations#2.
I am using keymaster as an openid connect provider. I use a U2F hardware key and Chrome 95.
After U2F SignResponse I am redirected to
/idp/oauth2/authorize?access_type=offline&client_id=<REDACTED>&redirect_uri=https://<REDACTED>/callback&response_type=code&scope=openid+profile+email+offline_access&state=<REDACTED>This is causing an issue w/ the golang net/http which no longer allows semicolons in req.URL.RawQuery per line 2873.
Error in keymaster log:
http: URL query contains semicolon, which is no longer a supported separator; parts of the query may be stripped when parsed; see golang.org/issue/25192Error in the browser: '500 Internal Server Error'
This does not occur when I use TOTP. This also does not occur when I log in to keymaster directly using U2F, only when it is part of an openid connect login for a different endpoint. Additionally I have no issue if I login to keymaster first and then navigate to my openid connect endpoint.
The text was updated successfully, but these errors were encountered: