search

googleapis / google-oauth-java-client

Google OAuth Client Library for Java
Apache License 2.0
615 stars 270 forks source link

LocalServerReceiver corrupts authorization code #1128

Open LionelOnTech opened 1 week ago

LionelOnTech commented 1 week ago

google-oauth-java-client's LocalServerReceiver corrupts authorization code if the code contains encoded = sign (%3D).

Environment details

  1. OS type and version: any
  2. Java version: 17
  3. google-oauth-client-jetty-1.36.0.jar

Steps to reproduce

  1. Run PKCESample.java against any OAuth server
  2. If the authorization code returned from the server contains %3D, this is removed and POST for token fails. For example, if the OAuth server opened: http://localhost:8089/Callback?code=AgAg...pRfrigVQHIyP4erQ%3D
  3. When getQuery is called, the %3D is decoded to =.
  4. When queryToMap is called, the split("=") is called, and the = at the end of the code is removed, thus corrupting the authorization code.

Any additional information below

Issue is on google-oauth-java-client's LocalServerReceiver line 282.

getRawQuery() should be used instead. Then decoded after queryToMap call.