Aarón Bueno Villares
2016-08-23 22:39:35 UTC
First of all, sorry for my English; specifically, right now; I'm tired and
its a bit late here in Spain and my English flows even worst than my
English.
I was adding to a project of mine support for authentication using the
GoogleService, and there was problems parsing the oauth callback url,
specifically, when decoding the 'state' paremeter.
As far as I've seen in the Wt sources, the wt url with the session id which
is used as state parameter, is enconded in base64 with the sha1
codification of the url itself as prefix, I assume to check integrity and
avoid passing the url to an incorrect session, after Google resends it back.
However, there was problems decoding that state paremeter returned by
google. I received a "Auth.OAuthService: RedirectEndpoint: could not decode
state" error.
After checking step by step the values of the computation when decoding the
state parameter, I realized that the state parameter received by google
wasn't exactly the same as the one originally send.
I think the problem is the following one:
(A) The sha1 codification of the url contains or provokes somehow a
control character.
(B) Google changed that control character to its percent-encoding
codification (the state parameter of the url of the pop-up windows showing
the google authentication, contained %0D%0A, which corresponds to a new
line symbol).
(C) For some reason, control characters (in my case, the %0D%0A
"token") is removed from the url at some point of the Wt app.
(D) When recalculating the state parameter, after extrating the url
from the received state parameter (in the decodeState funcion), it wasn't
equal to the original one.
(E) The decodeState function returns an empty string.
I've solved the problem inheriting from the class GoogleService (thanks
good decodeState is a virtual function), to omit that check. I just decode
the state parameter and return the contained url, which works fine, but I'm
worry about the security problems the sha1 prefix (which I ignore now)
tries to avoid.
Best regards,
Peregringlk.
its a bit late here in Spain and my English flows even worst than my
English.
I was adding to a project of mine support for authentication using the
GoogleService, and there was problems parsing the oauth callback url,
specifically, when decoding the 'state' paremeter.
As far as I've seen in the Wt sources, the wt url with the session id which
is used as state parameter, is enconded in base64 with the sha1
codification of the url itself as prefix, I assume to check integrity and
avoid passing the url to an incorrect session, after Google resends it back.
However, there was problems decoding that state paremeter returned by
google. I received a "Auth.OAuthService: RedirectEndpoint: could not decode
state" error.
After checking step by step the values of the computation when decoding the
state parameter, I realized that the state parameter received by google
wasn't exactly the same as the one originally send.
I think the problem is the following one:
(A) The sha1 codification of the url contains or provokes somehow a
control character.
(B) Google changed that control character to its percent-encoding
codification (the state parameter of the url of the pop-up windows showing
the google authentication, contained %0D%0A, which corresponds to a new
line symbol).
(C) For some reason, control characters (in my case, the %0D%0A
"token") is removed from the url at some point of the Wt app.
(D) When recalculating the state parameter, after extrating the url
from the received state parameter (in the decodeState funcion), it wasn't
equal to the original one.
(E) The decodeState function returns an empty string.
I've solved the problem inheriting from the class GoogleService (thanks
good decodeState is a virtual function), to omit that check. I just decode
the state parameter and return the contained url, which works fine, but I'm
worry about the security problems the sha1 prefix (which I ignore now)
tries to avoid.
Best regards,
Peregringlk.