Finagraph
6 years agoContributing User
Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.
Repro steps:
- Application redirects to the MYOB AccountRight Live OAuth2 authorization endpoint at:
https://secure.myob.com/oauth2/v1/authorize>client_id={CLIENT_ID}&response_type=code&scope=CompanyFile&redirect_uri={REDIRECT_URI}&state={STATE}.
- User logs into a MYOB account.
- User clicks 'No Thanks'
Expected behavior:
After the user clicks 'No Thanks' the MYOB website would redirect back to the application w/ the state parameter intact:
https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied&state={STATE}
Actual behavior:
After the user clicks 'No Thanks' the MYOB website redirects back, but strips the state parameter from the query string.
https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied
According to the RFC specification, the authorization provider is responsible for passing back the state parameter even for an error response. Please refer to https://tools.ietf.org/html/rfc6749#section-4.1.2.
4.1.2.1. Error Response
RFC 6749 OAuth 2.0 October 2012
state
REQUIRED if a "state" parameter was present in the client
authorization request. The exact value received from the
client.
For example, the authorization server redirects the user-agent by
sending the following HTTP response:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz
Not returning the state parameter opens up the endpoint to CSRF attacks. Is this bug being tracked and a fix planned?