AspNet.Security.OAuth.Providers icon indicating copy to clipboard operation
AspNet.Security.OAuth.Providers copied to clipboard

Published 20 hours ago verified publisher icon aspnet-contrib

The Untappd provider sends token request parameters in both the query string and the request form

Open kevinchalet opened this issue 2 years ago • 0 comments

The Untappd provider uses GET requests and sends the token request parameters in both the query string and the request form using formurl-encoding, which is a strong sign something is not right as GET requests are not expected to have a content attached (.NET Core's HttpClient allows it, but on .NET Framework, the following code would throw an exception:)

https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/blob/cbbc7a1cb78ff9898b6110e8c60aae967fd86356/src/AspNet.Security.OAuth.Untappd/UntappdAuthenticationHandler.cs#L29-L74

We should determine whether this monstrosity is 100% required or remove the request form part if it's not.

/cc @martincostello

kevinchalet avatar Jun 02 '22 15:06 kevinchalet