Thank you for visiting our Partner Zone. This area is an exclusive space for MYOB Partners. Find out how to Partner with MYOB.
February 2019 - last edited February 2019
February 2019 - last edited February 2019
Repro steps:
https://secure.myob.com/oauth2/v1/authorize>client_id={CLIENT_ID}&response_type=code&scope=CompanyFile&redirect_uri={REDIRECT_URI}&state={STATE}.
Expected behavior:
After the user clicks 'No Thanks' the MYOB website would redirect back to the application w/ the state parameter intact:
https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied&state={STATE}
Actual behavior:
After the user clicks 'No Thanks' the MYOB website redirects back, but strips the state parameter from the query string.
https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied
According to the RFC specification, the authorization provider is responsible for passing back the state parameter even for an error response. Please refer to https://tools.ietf.org/html/rfc6749#section-4.1.2.
4.1.2.1. Error Response
RFC 6749 OAuth 2.0 October 2012
state
REQUIRED if a "state" parameter was present in the client
authorization request. The exact value received from the
client.
For example, the authorization server redirects the user-agent by
sending the following HTTP response:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz
Not returning the state parameter opens up the endpoint to CSRF attacks. Is this bug being tracked and a fix planned?
February 2019
February 2019
Hi @Finagraph
I’d recommend reaching out to our API team on developers@myob.com, and passing this information onto them.
Regards,
Neil
MYOB Community Support
Online Help| Forum Search| my.MYOB| Download Page
Did my answer help?
Mark it as a SolutionHelpful? Leave a to tell others
February 2019
February 2019
I reached out to the development team about this issue today. Hoping for a response and will update this thread if I get one.