pancakeslp
commented
1 year ago Disclaimer just a guy, not a bungie dev
I think you are URL encoding (also know as percent encoding) state not base 64 encoding state
If I base64 encode your state using the btoa method in the browser it would look like WTBLRTUzOUlzK2NYM0d3NUtrY0kvYnQvQldBeE8yZUtXUWVxdmkvRjhtST0=
https://developer.mozilla.org/en-US/docs/Web/API/btoa
Also I would not expect base64 used in URLs to contain plus or space. There is a special version of base64 called base64url where the plus and slash characters are replaced for other symbols. https://en.wikipedia.org/wiki/Base64#URL_applications
In my experience most developers will consider plus and space are interchangeable when used in a post or in form data sent via URL.
TheEvilAmongUs
I'm having an issue validating the state coming back from a request to the OAuth Authorization URL if it contains a '+'. (I'm just base64 encoding a randomly generated byte array and using that as a state.)
Example: URL off to Bungie: https://www.bungie.net/en/oauth/authorize?client_id=[redacted]&response_type=code&state=Y0KE539Is%2BcX3Gw5KkcI%2Fbt%2FBWAxO2eKWQeqvi%2FF8mI%3D
State:
Y0KE539Is+cX3Gw5KkcI/bt/BWAxO2eKWQeqvi/F8mI=Encoded State:Y0KE539Is%2BcX3Gw5KkcI%2Fbt%2FBWAxO2eKWQeqvi%2FF8mI%3DRedirect URL back to my site: https://localhost:7229/signin?code=[redacted]&state=Y0KE539Is%20cX3Gw5KkcI%2Fbt%2FBWAxO2eKWQeqvi%2FF8mI%3D
State:
Y0KE539Is cX3Gw5KkcI/bt/BWAxO2eKWQeqvi/F8mI=Encoded State:Y0KE539Is%20cX3Gw5KkcI%2Fbt%2FBWAxO2eKWQeqvi%2FF8mI%3DOddly, this appears to only happen the first time a user goes to the authorize endpoint. I'm assuming that this is due to the first authorize request redirecting to https://www.bungie.net/en/User/JoinUp where the user would sign in to their Bungie account. (The encoded '+' must get lost in translation somewhere.)