Cognito Hosted UI login form breaks state variable

Question

Hi,
I accidentally discovered a possible bug in Amazon Cognito.

My app generates a random `state` variable with an equal sign `=` at the end for the purpose of OAuth2 authorization code flow. This variable is properly URI-encoded so `=` is replaced with `%3D` and it is passed as a query parameter to `/login` endpoint (hosted UI). When a user fills in username and password (of an existing user in the user pool), the web form is submitted as a proper POST request. Unfortunately, the URI encoding of the `state` variable is lost when it is passed along with `code` to my redirect URL in Cognito's response.

The generated URI looks like (note the trailing `=`):
```
 http://localhost:3000/login/oauth2/code/localhost?code=4b80cf95-e454-451a-8915-52f18fbefa81&state=FvIIYVt450DT4f5SebJUOxLkY1QAWKliwy_0aXb2amQ=
```
I tried it in eu-central-1, I don't know if other regions are also affected.

Unfortunately the framework I'm using (Spring Boot) is pretty restrictive and doesn't parse such URI properly, throwing exception `Invalid character '=' for QUERY_PARAM in \"FvIIYVt450DT4f5SebJUOxLkY1QAWKliwy_0aXb2amQ=\"`. Unfortunately, generating the `state` is out of my control without substantial effort and can not be easily overridden to avoid trailing equal sign.

Other endpoints, like `/oauth2/authorize` do work properly and `state` variable is passed to my redirect URL correctly encoded.

Is there any way how to configure Cognito so it properly encode query parameter values before redirecting browser to my redirect URL?

Answer

Hello,

I understand from your query that you found that LOGIN [1] endpoint's response is URI decoding your state parameter from "%3D" to "=". However, your framework with Springboot requires/expects "%3D" to come back, and not an "=" and presence of "=" in your state is prompting an error with your framework. Additionally, AUTHORIZATION [2] endpoint is working fine which returns back the "%3D" meaning it keeps the encoding intact. 
____________________________
Based on your comments, I was able to replicate the same by capturing two HAR [3] files (in Chrome browser) for logging the LOGIN flow vs AUTHORIZATION Flow in `us-east-1` region

- With `LOGIN` flow, the response has decoded `%3D` to `=` for the state parameter. 
- However, with AUTHORIZATION flow, the `%3D` remained intact in response as well.
____________________________

Hence, I checked in with the Cognito service team internally on your behalf, but they currently require your AWS account information alongside the UserPool information to help us assist you on this query. However, please do not post any such sensitive information over re:Post since this is a public platform.

Therefore, I would like to request you to log a support case directly with our Premium Support team, who can help you in getting the requested information to the service team securely.

As always, feel free to reach back out with any further questions or concerns in the meantime!

References:

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html

[2] https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

[3] https://aws.amazon.com/premiumsupport/knowledge-center/support-case-browser-har-file/

Cognito Hosted UI login form breaks state variable

관련 콘텐츠