Cognito Hosted UI login form breaks state variable

0

Hi, I accidentally discovered a possible bug in Amazon Cognito.

My app generates a random state variable with an equal sign = at the end for the purpose of OAuth2 authorization code flow. This variable is properly URI-encoded so = is replaced with %3D and it is passed as a query parameter to /login endpoint (hosted UI). When a user fills in username and password (of an existing user in the user pool), the web form is submitted as a proper POST request. Unfortunately, the URI encoding of the state variable is lost when it is passed along with code to my redirect URL in Cognito's response.

The generated URI looks like (note the trailing =):

 http://localhost:3000/login/oauth2/code/localhost?code=4b80cf95-e454-451a-8915-52f18fbefa81&state=FvIIYVt450DT4f5SebJUOxLkY1QAWKliwy_0aXb2amQ=

I tried it in eu-central-1, I don't know if other regions are also affected.

Unfortunately the framework I'm using (Spring Boot) is pretty restrictive and doesn't parse such URI properly, throwing exception Invalid character '=' for QUERY_PARAM in \"FvIIYVt450DT4f5SebJUOxLkY1QAWKliwy_0aXb2amQ=\". Unfortunately, generating the state is out of my control without substantial effort and can not be easily overridden to avoid trailing equal sign.

Other endpoints, like /oauth2/authorize do work properly and state variable is passed to my redirect URL correctly encoded.

Is there any way how to configure Cognito so it properly encode query parameter values before redirecting browser to my redirect URL?

질문됨 일 년 전543회 조회
1개 답변
0

Hello,

I understand from your query that you found that LOGIN [1] endpoint's response is URI decoding your state parameter from "%3D" to "=". However, your framework with Springboot requires/expects "%3D" to come back, and not an "=" and presence of "=" in your state is prompting an error with your framework. Additionally, AUTHORIZATION [2] endpoint is working fine which returns back the "%3D" meaning it keeps the encoding intact.


Based on your comments, I was able to replicate the same by capturing two HAR [3] files (in Chrome browser) for logging the LOGIN flow vs AUTHORIZATION Flow in us-east-1 region

  • With LOGIN flow, the response has decoded %3D to = for the state parameter.
  • However, with AUTHORIZATION flow, the %3D remained intact in response as well.

Hence, I checked in with the Cognito service team internally on your behalf, but they currently require your AWS account information alongside the UserPool information to help us assist you on this query. However, please do not post any such sensitive information over re:Post since this is a public platform.

Therefore, I would like to request you to log a support case directly with our Premium Support team, who can help you in getting the requested information to the service team securely.

As always, feel free to reach back out with any further questions or concerns in the meantime!

References:

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html

[2] https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

[3] https://aws.amazon.com/premiumsupport/knowledge-center/support-case-browser-har-file/

profile pictureAWS
지원 엔지니어
Yash_C
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠