FOSOAuthServerBundle

FOSOAuthServerBundle copied to clipboard

I am trying to use a redirect_url that contains query parameters with the Authorization Code Grant flow. The redirects in the browser succeed, here is what chrome is requesting:

http://127.0.0.1:8080/app_dev.php/oauth/v2/auth?client_id=39691&response_type=code&redirect_uri=http://127.0.0.1:8091/authResponse?continue%3Dhttp://localhost:4200/assets/oauth.html%26client_id%3D39691

So the value of redirect_uri is http://127.0.0.1:8091/authResponse?continue%3Dhttp://localhost:4200/assets/oauth.html%26client_id%3D39691.

What ends up in the oauth_auth_code storage however is the value http://127.0.0.1:8091/authResponse?continue=http://localhost:4200/assets/oauth.html&client_id=39691 -- note that this URL seems to have been url-decoded before storage.

Now, when my oauth client calls the /oauth/v2/token endpoint to retrieve a token from the code obtained above, the redirect_url comparison fails because the incoming URL is not url-decoded. Here is the part that fails: https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L892-L898 I extended the error message to include both: $input["redirect_uri"] and $authCode->getRedirectUri(), and here is what it says:

{"error":"redirect_uri_mismatch","error_description":"The redirect URI is missing or do not match. Input: http://127.0.0.1:8091/authResponse?continue%3Dhttp://localhost:4200/assets/oauth.html%26client_id%3D39691 / Stored: http://127.0.0.1:8091/authResponse?continue=http://localhost:4200/assets/oauth.html&client_id=39691"}

The solution would be to either store redirect URIs in their encoded form in the /oauth/v2/auth endpoint, or to url-decode the incoming redirect_uri in the /oauth/v2/token endpoint.

As it stands now, it looks like having query parameters in a redirect_uri doesn't work.

I think your redirect uri should be http%3A%2F%2F127.0.0.1%3A8091%2FauthResponse%3Fcontinue%253Dhttp%3A%2F%2Flocalhost%3A4200%2Fassets%2Foauth.html%2526client_id%253D39691 when passed as a query parameter.

Could you try with this value?

I'm using Spring's UriComponentsBuilder to build the uri. Apparently, they encode according to RFC 3986, see http://stackoverflow.com/a/21460758

• So I think the representation should be fine.

I can try your suggestion later, but I'm not at home right now.

On Sun, 16 Apr 2017 at 11:26, Spomky [email protected] wrote:

I think your redirect uri should be http%3A%2F%2F127.0.0.1%3A8091%2FauthResponse%3Fcontinue%253Dhttp%3A%2F%2Flocalhost%3A4200%2Fassets%2Foauth.html%2526client_id%253D39691 when passed as a query parameter.

Could you try with this value?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/460#issuecomment-294342327, or mute the thread https://github.com/notifications/unsubscribe-auth/ABIEravXJy4bhCIf8Ept47lmsEXxwQeJks5rwd6tgaJpZM4M9_zA .

This bundle and the library uses the urlencode function and not the rawurlencode one (which is compatible with the RFC3986).

The redirect_url comes in as a query parameter, which itself is url-encoded. The problem is that it doesnt get decoded in the token endpoint - at least I didnt seem to find where?

On Sun, 16 Apr 2017 at 12:21, Spomky [email protected] wrote:

This bundle and the library uses the urlencode function and not the rawurlencode one which is compatible with the RFC3986.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/460#issuecomment-294344388, or mute the thread https://github.com/notifications/unsubscribe-auth/ABIErcICdhLgSTLqE_MxAfptZ4Svp13pks5rweuRgaJpZM4M9_zA .

When I modify the call to validateRedirectUri from the linked code in my original post like this, it fixes the issue for me (added call to urldecode):

$this->validateRedirectUri( urldecode($input["redirect_uri"]), $authCode->getRedirectUri())

On Sun, 16 Apr 2017 at 13:05, Mike M. [email protected] wrote:

The redirect_url comes in as a query parameter, which itself is url-encoded. The problem is that it doesnt get decoded in the token endpoint - at least I didnt seem to find where?

On Sun, 16 Apr 2017 at 12:21, Spomky [email protected] wrote:

This bundle and the library uses the urlencode function and not the rawurlencode one which is compatible with the RFC3986.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/460#issuecomment-294344388, or mute the thread https://github.com/notifications/unsubscribe-auth/ABIErcICdhLgSTLqE_MxAfptZ4Svp13pks5rweuRgaJpZM4M9_zA .

I've submitted a PR to the oauth2-php repository which fixes the issue for me and doesn't break any tests. I'd love to get some feedback on this!

// cc @GuilhemN

Any news on this issue? I run into the same problem, is there a workaround to fix it?

Hello, I still have the same problem. I keep on getting this error for a new client. {"error":"redirect_uri_mismatch","error_description":"The redirect URI is mandatory and was not supplied."}

I did not have similar problem with the previous clients that I created. Is there any configuration that I must check to fix this problem? I created the client through command line. Then I am using browser to send data in the URL and get a response code. I did this earlier and it has worked.