google-oauth-java-client's LocalServerReceiver corrupts authorization code if the code contains encoded = sign (%3D).
Environment details
- OS type and version: any
- Java version: 17
- google-oauth-client-jetty-1.36.0.jar
Steps to reproduce
- Run
PKCESample.java against any OAuth server
- If the authorization code returned from the server contains %3D, this is removed and POST for token fails. For example, if the OAuth server opened: http://localhost:8089/Callback?code=AgAg...pRfrigVQHIyP4erQ%3D
- When getQuery is called, the
%3D is decoded to =.
- When queryToMap is called, the split("=") is called, and the
= at the end of the code is removed, thus corrupting the authorization code.
Any additional information below
Issue is on google-oauth-java-client's LocalServerReceiver line 282.
getRawQuery() should be used instead. Then decoded after queryToMap call.
google-oauth-java-client's LocalServerReceiver corrupts authorization code if the code contains encoded
=sign (%3D).Environment details
Steps to reproduce
PKCESample.javaagainst any OAuth server%3Dis decoded to=.=at the end of the code is removed, thus corrupting the authorization code.Any additional information below
Issue is on google-oauth-java-client's LocalServerReceiver line 282.
getRawQuery()should be used instead. Then decoded afterqueryToMapcall.