Authorization URLQuery parameters are overwritten when the auth request is constructed.

[ba-a]

I don't know if this behavior is intended, but at least it behaves different compared to the Android version. Recently I implemented an Azure B2C Login in a flutter app.

The authorizationUrl contains a query parameter which is crucial for the login page to be found. It looks something like this:

"authorization_endpoint": "https://xxxloginUrl.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1a_signinusername".

The important part which gets lost on the way here ist p=b2c_1a_signinusername

On android this was working fine, but on iOS the page was not found. After some debugging I found that the request is handled in the OIDAuthorizationRequest#authorizationRequestURL

In there the whole request for the authorization is constructed and in the end it calls URLByReplacingQueryInURL which will replace all existing query parameters.

On android this is not happening. We worked around this by adding the query parameter as additionalParameter for now on iOS but it feels strange to me. Is this working as intended? This is not the only place where it is handled that way, just the one I stumbled across as far as I can see. I'm adding the method where this is happening:

(NSURL *)authorizationRequestURL {
  OIDURLQueryComponent *query = [[OIDURLQueryComponent alloc] init];

  // Required parameters.
  [query addParameter:kResponseTypeKey value:_responseType];
  [query addParameter:kClientIDKey value:_clientID];

  // Add any additional parameters the client has specified.
  [query addParameters:_additionalParameters];

  // Add optional parameters, as applicable.
  if (_redirectURL) {
    [query addParameter:kRedirectURLKey value:_redirectURL.absoluteString];
  }
  if (_scope) {
    [query addParameter:kScopeKey value:_scope];
  }
  if (_state) {
    [query addParameter:kStateKey value:_state];
  }
  if (_nonce) {
    [query addParameter:kNonceKey value:_nonce];
  }
  if (_codeChallenge) {
    [query addParameter:kCodeChallengeKey value:_codeChallenge];
  }
  if (_codeChallengeMethod) {
    [query addParameter:kCodeChallengeMethodKey value:_codeChallengeMethod];
  }

  // Construct the URL:
  return [query URLByReplacingQueryInURL:_configuration.authorizationEndpoint];
}

Kind regards

[mdanazhiev]

Hi, I am having the same issue, no matter what I do, I cannot place the ?p=policy correctly.

• Tried to add it to the endpoint it got replaced EndpointConfiguration.CEnvironment.b2cEndpoint + "/" + EndpointConfiguration.CEnvironment.b2cTenantName + "/oauth2/v2.0/authorize EndpointConfiguration.CEnvironment.b2cEndpoint + "/" + EndpointConfiguration.CEnvironment.b2cTenantName + "/oauth2/v2.0/authorize?p=\(EndpointConfiguration.CEnvironment.b2cSignInPolicy)"

• Tried to add it as additional parameters, if it is a single parameter "p" : "policy", nonce gets in front, if I have additional more parameters it is the same it gets in some place where I dont want it, no matter that it is on first position in the dictionary. additionalParameters:["p" : "\(EndpointConfiguration.CEnvironment.b2cSignInPolicy)"]) additionalParameters:["p" : "\(EndpointConfiguration.CEnvironment.b2cSignInPolicy)","prompt" : "login", "response_mode": "query"])

[bryanCancelWT]

@ba-a @mdanazhiev if this is still relevant another solution was suggested by me here https://github.com/MaikuB/flutter_appauth/issues/242

it's what I'm currently using

[mdanazhiev]

Thank you, I did subclass the OID Auth request and made some changes.