URL Encoding issue in redirect_url check

[netmikey]

I am trying to use a redirect_url that contains query parameters with the Authorization Code Grant flow. The redirects in the browser succeed, here is what chrome is requesting:

http://127.0.0.1:8080/app_dev.php/oauth/v2/auth?client_id=39691&response_type=code&redirect_uri=http://127.0.0.1:8091/authResponse?continue%3Dhttp://localhost:4200/assets/oauth.html%26client_id%3D39691

So the value of redirect_uri is http://127.0.0.1:8091/authResponse?continue%3Dhttp://localhost:4200/assets/oauth.html%26client_id%3D39691.

What ends up in the oauth_auth_code storage however is the value http://127.0.0.1:8091/authResponse?continue=http://localhost:4200/assets/oauth.html&client_id=39691 -- note that this URL seems to have been url-decoded before storage.

Now, when my oauth client calls the /oauth/v2/token endpoint to retrieve a token from the code obtained above, the redirect_url comparison fails because the incoming URL is not url-decoded. Here is the part that fails: https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L892-L898
I extended the error message to include both: $input["redirect_uri"] and $authCode->getRedirectUri(), and here is what it says:

{"error":"redirect_uri_mismatch","error_description":"The redirect URI is missing or do not match. Input: http://127.0.0.1:8091/authResponse?continue%3Dhttp://localhost:4200/assets/oauth.html%26client_id%3D39691 / Stored: http://127.0.0.1:8091/authResponse?continue=http://localhost:4200/assets/oauth.html&client_id=39691"}

The solution would be to either store redirect URIs in their encoded form in the /oauth/v2/auth endpoint, or to url-decode the incoming redirect_uri in the /oauth/v2/token endpoint.

As it stands now, it looks like having query parameters in a redirect_uri doesn't work.

[Spomky]

I think your redirect uri should be http%3A%2F%2F127.0.0.1%3A8091%2FauthResponse%3Fcontinue%253Dhttp%3A%2F%2Flocalhost%3A4200%2Fassets%2Foauth.html%2526client_id%253D39691 when passed as a query parameter.

Could you try with this value?

[netmikey]

I'm using Spring's `UriComponentsBuilder` to build the uri. Apparently, they encode according to RFC 3986, see http://stackoverflow.com/a/21460758 - So I think the representation should be fine. I can try your suggestion later, but I'm not at home right now.

…

On Sun, 16 Apr 2017 at 11:26, Spomky ***@***.***> wrote: I think your redirect uri should be http%3A%2F%2F127.0.0.1%3A8091%2FauthResponse%3Fcontinue%253Dhttp%3A%2F%2Flocalhost%3A4200%2Fassets%2Foauth.html%2526client_id%253D39691 when passed as a query parameter. Could you try with this value? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#460 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABIEravXJy4bhCIf8Ept47lmsEXxwQeJks5rwd6tgaJpZM4M9_zA> .

[Spomky]

This bundle and the library uses the urlencode function and not the rawurlencode one (which is compatible with the RFC3986).

[netmikey]

The `redirect_url` comes in as a query parameter, which itself is url-encoded. The problem is that it doesnt get **decoded** in the token endpoint - at least I didnt seem to find where?

…

On Sun, 16 Apr 2017 at 12:21, Spomky ***@***.***> wrote: This bundle and the library uses the [urlencode]( http://php.net/manual/en/function.urlencode.php) function and not the [rawurlencode](http://php.net/manual/en/function.rawurlencode.php) one which is compatible with the RFC3986. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#460 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABIErcICdhLgSTLqE_MxAfptZ4Svp13pks5rweuRgaJpZM4M9_zA> .

[netmikey]

When I modify the call to validateRedirectUri from the linked code in my original post like this, it fixes the issue for me (added call to urldecode): $this->validateRedirectUri( urldecode($input["redirect_uri"]), $authCode->getRedirectUri())

…

On Sun, 16 Apr 2017 at 13:05, Mike M. ***@***.***> wrote: The `redirect_url` comes in as a query parameter, which itself is url-encoded. The problem is that it doesnt get **decoded** in the token endpoint - at least I didnt seem to find where? On Sun, 16 Apr 2017 at 12:21, Spomky ***@***.***> wrote: > This bundle and the library uses the [urlencode]( > http://php.net/manual/en/function.urlencode.php) function and not the > [rawurlencode](http://php.net/manual/en/function.rawurlencode.php) one > which is compatible with the RFC3986. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#460 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ABIErcICdhLgSTLqE_MxAfptZ4Svp13pks5rweuRgaJpZM4M9_zA> > . >

[netmikey]

I've submitted a PR to the oauth2-php repository which fixes the issue for me and doesn't break any tests. I'd love to get some feedback on this!

// cc @GuilhemN

[NeoBlack]

Any news on this issue? I run into the same problem, is there a workaround to fix it?

[raveesgohiel9]

Hello, I still have the same problem. I keep on getting this error for a new client.
{"error":"redirect_uri_mismatch","error_description":"The redirect URI is mandatory and was not supplied."}

I did not have similar problem with the previous clients that I created. Is there any configuration that I must check to fix this problem?
I created the client through command line. Then I am using browser to send data in the URL and get a response code. I did this earlier and it has worked.