brockallen
commented
4 years ago Are you sure that state value is coming from this library? That looks more like the state value from ASP.NET Core's OIDC handler.
Closed SergueiKomarov closed 4 years ago
brockallen
commented
4 years ago Are you sure that state value is coming from this library? That looks more like the state value from ASP.NET Core's OIDC handler.
SergueiKomarov
commented
4 years ago This 403 error was observed in React app (just markup & JS, no server-side code) using oidc-client-js lib with Redux-oidc wrapper. Our React code does not explicitly creates OIDC state parameter value, which leads us to believe that it must this library.
brockallen
commented
4 years ago What was the resolution?
SergueiKomarov
commented
4 years ago Hi Brock,
Not an oidc-client-js issue. The screenshot provided hid the full URL, the parameter that caused the issue with WAF was session_state, not the state one. It is a known issue and we found a workaround. Apologies for the false alarm.
Thanks!
Serguei Komarov
On Sun, Oct 11, 2020 at 9:07 AM Brock Allen notifications@github.com wrote:
What was the resolution?
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/IdentityModel/oidc-client-js/issues/1214#issuecomment-706727286, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5BH3AFYSURKA7H4ZSXRZDSKHJ5DANCNFSM4SE76Z2Q .
Double-hyphens in the value of the state query parameter trigger the WAF SQL injection rule resulting in 403 (see screenshot). Double-hyphens should not be used in the value of the state parameter or its value should be base64 encoded before sending over the wire.