Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1383

OIDC session sends invalid state value in URL

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • quay-v3.5.0
    • 2020.08.20
    • quay
    • 0

    Description

      I have a functioning installation and I can login with OIDC. But at unexpected times, the callback URL from the quay OIDC endpoint will send a value for the state parameter in a GET request with a '+' character which is not URL encoded. Manually changing the + sign to %2B (which is the URL encoded value for that character) continues with the authentication process.

      An example from my installation, replacing the hostname with quay-registry.example.com

      Req:

      {{[https://quay-registry.example.com/oauth2/adfs/callback?code=f-qyH1zi10-SC3Fl8kePQQ.HmyqU36g2AiaAHCuHlvyzpCZdtc.f8ez8WMJcfdFlcaAIiYq9mrzQlSgQo47aJE1KfPIP7bdcw27Hk_hOrkpLC7R8NUnptP3XLthnmdtagtOn6xP0OwhbOFbOVujvpF3EYeFjRZ0jEAGNusQai3ZulJHf8EMZ0xjajaMrlUyx5KbKAGjPujiqJMdI9WqgCZh7oJ5vpvSBF7aXCzvcdAZ_gCW94au_KEypWyWSU6VXAnQOyelloM3NALriRLEyhn86-_BEhH8JdUeDmmLrjgqka3qJtgdSekkBjAyLnFaomz2hEih1Jyn8D74wTePpdaO5f6hLlKGz0icd7Sw4sJt8v3Aijv9xeCt0snJZ0VTqnenGXscXg&state=9ZrWPVE1r3Uel0rccfWLe7c/zCjzbxw02l7PneJCKXRzOxzYAWR2GFbKwA6+1GJX
      ]}}

      {"error": "CSRF token was invalid or missing."}

       

      Attachments

        Activity

          People

            jonathankingfc Jonathan King
            lazzarello Lee Azzarello (Inactive)
            luffy zhang luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: