Forum Discussion

Finagraph's avatar
Finagraph
Contributing User
6 years ago

Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.

Repro steps:

 

  1. Application redirects to the MYOB AccountRight Live OAuth2 authorization endpoint at: 
    https://secure.myob.com/oauth2/v1/authorize>client_id={CLIENT_ID}&response_type=code&scope=CompanyFile&redirect_uri={REDIRECT_URI}&state={STATE}.
  2. User logs into a MYOB account.
  3. User clicks 'No Thanks'

 

 

Expected behavior:

 

After the user clicks 'No Thanks' the MYOB website would redirect back to the application w/ the state parameter intact:

 

https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied&state={STATE}

 

Actual behavior:

 

After the user clicks 'No Thanks' the MYOB website redirects back, but strips the state parameter from the query string.

 

https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied

 

According to the RFC specification, the authorization provider is responsible for passing back the state parameter even for an error response. Please refer to  https://tools.ietf.org/html/rfc6749#section-4.1.2.

 

4.1.2.1. Error Response

 
RFC 6749                        OAuth 2.0                   October 2012


   state
         REQUIRED if a "state" parameter was present in the client
         authorization request.  The exact value received from the
         client.

   For example, the authorization server redirects the user-agent by
   sending the following HTTP response:

   HTTP/1.1 302 Found
   Location: https://client.example.com/cb?error=access_denied&state=xyz

 Not returning the state parameter opens up the endpoint to CSRF attacks. Is this bug being tracked and a fix planned?

    • Finagraph's avatar
      Finagraph
      Contributing User

      I reached out to the development team about this issue today. Hoping for a response and will update this thread if I get one.