IdentityServer icon indicating copy to clipboard operation
IdentityServer copied to clipboard
verified publisher icon DuendeSoftware

ignore duplicate param values in request processing

Open brockallen opened this issue 3 years ago • 3 comments

This PR adds logic when processing request parameters that are exact duplicates to filter/ignore them.

Fixes: https://github.com/DuendeSoftware/Support/issues/124

brockallen avatar Jul 18 '22 18:07 brockallen

We used to do it this was back in IdentityServer4. But I noticed here and here that dup parameters should treated as an invalid_request error (of course, I guess except for the resource parameter).

brockallen avatar Jul 21 '22 18:07 brockallen

The RFC says

Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.1

leastprivilege avatar Jul 22 '22 05:07 leastprivilege

Will rework for 6.2 to validate against dups.

brockallen avatar Jul 22 '22 14:07 brockallen