Describe the bug
State parameter is generated using Base64 url encoder [1]. It ends up containing an "equals" sign at the end most of the time, for example
When passing the state as query parameter, it gets uri encoded [2]
The state in the URL looks like
When processing OIDC callback, the state is decoded without URL decode in [3]
(the pictures diverge here, my login attempt expired while writing the bug - but both request and response can be seen)
This results in invalid_state_parameter error within OidcAuthorizationCodeReactiveAuthenticationManager
[1] https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java#L82 [2] https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java#L455 [3] https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationResponseUtils.java#L68
To Reproduce Steps to reproduce the behavior.
Expected behavior A clear and concise description of what you expected to happen.
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Comment From: kse-music
Based on your description, I don't see any issues in my local. Could you provide a minimal sample that reproduces the steps? I'd be happy to take a look.
Ps: I'm tested in Spring Boot 3.4.1.
Comment From: ZIRAKrezovic
I cannot reproduce it with Spring Boot 3.4. I am stuck on 3.2, which is out of OSS support. Closing.