Help
Partner Zone

Thank you for visiting our Partner Zone. This area is an exclusive space for MYOB Partners. Find out how to Partner with MYOB.

Start a Post

Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.

This thread is now closed to new comments.
Some of the links and information provided in this thread may no longer be available or relevant.
If you have a question please start a new post.
Finagraph
Contributing Partner
7 Posts
Contributing Partner
Finagraph
Finagraph
Contributing Partner

7Posts

1Kudos

0Solutions

Send Message
+4

February 2019 - last edited February 2019

February 2019 - last edited February 2019

Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.

Repro steps:

 

  1. Application redirects to the MYOB AccountRight Live OAuth2 authorization endpoint at: 
    https://secure.myob.com/oauth2/v1/authorize>client_id={CLIENT_ID}&response_type=code&scope=CompanyFile&redirect_uri={REDIRECT_URI}&state={STATE}.
  2. User logs into a MYOB account.
  3. User clicks 'No Thanks'

MYOB.png 

 

Expected behavior:

 

After the user clicks 'No Thanks' the MYOB website would redirect back to the application w/ the state parameter intact:

 

https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied&state={STATE}

 

Actual behavior:

 

After the user clicks 'No Thanks' the MYOB website redirects back, but strips the state parameter from the query string.

 

https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied

 

According to the RFC specification, the authorization provider is responsible for passing back the state parameter even for an error response. Please refer to  https://tools.ietf.org/html/rfc6749#section-4.1.2.

 

4.1.2.1. Error Response

 
RFC 6749                        OAuth 2.0                   October 2012


   state
         REQUIRED if a "state" parameter was present in the client
         authorization request.  The exact value received from the
         client.

   For example, the authorization server redirects the user-agent by
   sending the following HTTP response:

   HTTP/1.1 302 Found
   Location: https://client.example.com/cb?error=access_denied&state=xyz

 Not returning the state parameter opens up the endpoint to CSRF attacks. Is this bug being tracked and a fix planned?

0 Kudos
2 REPLIES 2
Neil_M
13,473 Posts
Former Staff
Neil_M
Neil_M
Former Staff

13,473Posts

0Kudos

1,916Solutions

Send Message
+49

February 2019

February 2019

Re: Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.

Hi @Finagraph

 

I’d recommend reaching out to our API team on developers@myob.com, and passing this information onto them.

Regards,
Neil

MYOB Community Support

Online Help| Forum Search| my.MYOB| Download Page

Did my answer help?

Mark it as a SolutionHelpful? Leave a to tell others

0 Kudos
Finagraph
Contributing Partner
7 Posts
Contributing Partner
Finagraph
Finagraph
Contributing Partner

7Posts

1Kudos

0Solutions

Send Message
+4

February 2019

February 2019

Re: Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.

I reached out to the development team about this issue today. Hoping for a response and will update this thread if I get one.

0 Kudos

Didn't find your answer here?

Try using advanced search to find a post more easily Advanced Search
or
Get the conversation started and make a new post Start a Post

Related Posts

Forum Feedback
Empty