search

damienbod / angular-auth-oidc-client

npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow
https://www.npmjs.com/package/angular-auth-oidc-client
MIT License
1.11k stars 418 forks source link

[Bug]: Query parameter hijacking #1935

Open erichjsonfosse opened 3 weeks ago

erichjsonfosse commented 3 weeks ago

Version

At least 16 and 17

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

The `isCallbackFromSts` only checks for one of the query parameters in the `CALLBACK_PARAMS_TO_CHECK` array, effectively hijacking these parameters for every route in the application.

Steps to reproduce the behavior

Add any of the `CALLBACK_PARAMS_TO_CHECK` (['code', 'state', 'token', 'id_token']) to the application URL, and the `isCallbackFromSts` method will return true.

A clear and concise description of what you expected to happen.

I would expect the `isCallbackFromSts` to take the redirect URI into consideration.

Additional context

No response

FabianGosebrink commented 3 weeks ago

Related to https://github.com/damienbod/angular-auth-oidc-client/issues/1912