Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1383

OIDC session sends invalid state value in URL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • quay-v3.5.0
    • 2020.08.20
    • quay

      I have a functioning installation and I can login with OIDC. But at unexpected times, the callback URL from the quay OIDC endpoint will send a value for the state parameter in a GET request with a '+' character which is not URL encoded. Manually changing the + sign to %2B (which is the URL encoded value for that character) continues with the authentication process.

      An example from my installation, replacing the hostname with quay-registry.example.com

      Req:

      {{[https://quay-registry.example.com/oauth2/adfs/callback?code=f-qyH1zi10-SC3Fl8kePQQ.HmyqU36g2AiaAHCuHlvyzpCZdtc.f8ez8WMJcfdFlcaAIiYq9mrzQlSgQo47aJE1KfPIP7bdcw27Hk_hOrkpLC7R8NUnptP3XLthnmdtagtOn6xP0OwhbOFbOVujvpF3EYeFjRZ0jEAGNusQai3ZulJHf8EMZ0xjajaMrlUyx5KbKAGjPujiqJMdI9WqgCZh7oJ5vpvSBF7aXCzvcdAZ_gCW94au_KEypWyWSU6VXAnQOyelloM3NALriRLEyhn86-_BEhH8JdUeDmmLrjgqka3qJtgdSekkBjAyLnFaomz2hEih1Jyn8D74wTePpdaO5f6hLlKGz0icd7Sw4sJt8v3Aijv9xeCt0snJZ0VTqnenGXscXg&state=9ZrWPVE1r3Uel0rccfWLe7c/zCjzbxw02l7PneJCKXRzOxzYAWR2GFbKwA6+1GJX
      ]}}

      {"error": "CSRF token was invalid or missing."}

       

              jonathankingfc Jonathan King
              lazzarello Lee Azzarello (Inactive)
              luffy zhang luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: