WASReqURLOidc cookie encodes the request url but doesn't decoded it upon successful redirection #15023
Labels
bug
This bug is not present in a released version of Open Liberty
release bug
This bug is present in a released version of Open Liberty
release:21006
team:Security SSO
Projects
Describe the bug
We are calling a protected URL including some query params like
/protected/resource/?name=aaaaaaaa%20aaaaaaa&description=bbbbbbb%20bbbbbbbbbb&type=CHECKLIST
The server uses OIDC. The URL in the
WASReqURL
cookie appears to be incorrectly encoded:WASReqURLOidcn1674482248=https://server.com/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST; Expires=Mon, 16 Nov 2020 21:25:46 GMT; Path=/; Secure; HttpOnly
Note that %20 become %252520
Steps to Reproduce
Accesse a protected resource on a WLP server that uses OIDC
Request 1:
GET
/protected/resource/?name=aaaaaaaa%20aaaaaaa&description=bbbbbbb%20bbbbbbbbbb&type=CHECKLIST HTTP/1.1
Response 1:
HTTP/1.1 302 Found
Location:
https://server.com/oidc/endpoint/ums/authorize?response_type=code&client_id=client&state=001605561526461ZdjsBdS3i&redirect_uri=https%3A%2F%2Fserver.com%3A9443%2Foidcclient%2Fredirect%2FumsClient&scope=openid+profile+email
Set-Cookie:
WASReqURLOidcn1674482248=
https://server.com/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST
; Expires=Mon, 16 Nov 2020 21:25:46 GMT; Path=/; Secure; HttpOnlyRequest 2:
GET
https://server.com/oidc/endpoint/ums/authorize?response_type=code&client_id=client&state=001605561526461ZdjsBdS3i&redirect_uri=https%3A%2F%2Fserver.com%3A9443%2Foidcclient%2Fredirect%2FumsClient&scope=openid+profile+email
Response 2:
HTTP/1.1 302
Location:
https://server.com/oidcclient/redirect/umsClient?session_state=8QI1st1xwaqMMD4HexvAblXcVxxAZBQKhAbY2TBTwBE%3D.656677c4b074&code=CIxsvDu7RGVNYNHufIlB28r5vVFkZt&state=001605561526461ZdjsBdS3i
Request 3:
GET
/oidcclient/redirect/umsClient?session_state=8QI1st1xwaqMMD4HexvAblXcVxxAZBQKhAbY2TBTwBE%3D.656677c4b074&code=CIxsvDu7RGVNYNHufIlB28r5vVFkZt&state=001605561526461ZdjsBd
Response 3:
HTTP/1.1 302 Found
Location:
https://server.com/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST
Request 4:
GET
/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST
HTTP/1.1Expected behavior
Expect the URL query params to be decoded upon successful redirection
Diagnostic information:
The text was updated successfully, but these errors were encountered: