oauth2: Don't double encode URL fragments (#346)

Closes #345 Signed-off-by: Grigoriev, Nikolai <nikolai.grigoriev@nuance.com>
ory · Dec 23, 2018 · 1f41934 · 1f41934
1 parent 0761fca
commit 1f41934
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/authorize_write.go b/authorize_write.go
@@ -50,9 +50,16 @@ func (f *Fosite) WriteAuthorizeResponse(rw http.ResponseWriter, ar AuthorizeRequ
 	}
 
 	// Implicit grants
-	redir.Fragment = resp.GetFragment().Encode()
+	// The endpoint URI MUST NOT include a fragment component.
+	redir.Fragment = ""
 
 	u := redir.String()
+
+	fr := resp.GetFragment()
+	if len(fr) > 0 {
+		u = u + "#" + fr.Encode()
+	}
+
 	u = plusMatch.ReplaceAllString(u, "%20")
 
 	// https://tools.ietf.org/html/rfc6749#section-4.1.1

diff --git a/authorize_write_test.go b/authorize_write_test.go
@@ -115,6 +115,24 @@ func TestWriteAuthorizeResponse(t *testing.T) {
 				}, header)
 			},
 		},
+		{
+			setup: func() {
+				redir, _ := url.Parse("https://foobar.com/?foo=bar")
+				ar.EXPECT().GetRedirectURI().Return(redir)
+				resp.EXPECT().GetFragment().Return(url.Values{"bar": {"baz"}, "scope": {"api:*"}})
+				resp.EXPECT().GetHeader().Return(http.Header{"X-Bar": {"baz"}})
+				resp.EXPECT().GetQuery().Return(url.Values{"bar": {"b+az"}, "scope": {"api:*"}})
+
+				rw.EXPECT().Header().Return(header)
+				rw.EXPECT().WriteHeader(http.StatusFound)
+			},
+			expect: func() {
+				assert.Equal(t, http.Header{
+					"X-Bar":    {"baz"},
+					"Location": {"https://foobar.com/?bar=b%2Baz&foo=bar&scope=api%3A%2A#bar=baz&scope=api%3A%2A"},
+				}, header)
+			},
+		},
 	} {
 		t.Logf("Starting test case %d", k)
 		c.setup()