Use of reserved characters in OAuth2 auth code


(Rob) #1

In the authorisation codes given to a clients reditect uri, it can contain = which is a reserved character noted in section 2.2 of https://www.ietf.org/rfc/rfc3986.txt, the unreserved characters are noted in section 2.3. As an equals sign is reserved it might break some apps that use query string de-constructors that assume a = is not part of query string data. eg ?code=hhuergh24h9u23jf09320f=4f2f23nf might extract hhuergh24h9u23jf09320f as the code. Obviously its the client developer’s responsibility to build their software to deal with these sorts of errors but, it would be nice to see the authorisation data conforming to the RFC standard as many developers will use this as gospel.


(Rob) #2

I’m having trouble getting another code with a = in if anyone else spots a code with a = in it would be super helpful if you could say here that you got one