By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Hosted UI login form breaks state variable

0

Hi, I accidentally discovered a possible bug in Amazon Cognito.

My app generates a random state variable with an equal sign = at the end for the purpose of OAuth2 authorization code flow. This variable is properly URI-encoded so = is replaced with %3D and it is passed as a query parameter to /login endpoint (hosted UI). When a user fills in username and password (of an existing user in the user pool), the web form is submitted as a proper POST request. Unfortunately, the URI encoding of the state variable is lost when it is passed along with code to my redirect URL in Cognito's response.

The generated URI looks like (note the trailing =):

 http://localhost:3000/login/oauth2/code/localhost?code=4b80cf95-e454-451a-8915-52f18fbefa81&state=FvIIYVt450DT4f5SebJUOxLkY1QAWKliwy_0aXb2amQ=

I tried it in eu-central-1, I don't know if other regions are also affected.

Unfortunately the framework I'm using (Spring Boot) is pretty restrictive and doesn't parse such URI properly, throwing exception Invalid character '=' for QUERY_PARAM in \"FvIIYVt450DT4f5SebJUOxLkY1QAWKliwy_0aXb2amQ=\". Unfortunately, generating the state is out of my control without substantial effort and can not be easily overridden to avoid trailing equal sign.

Other endpoints, like /oauth2/authorize do work properly and state variable is passed to my redirect URL correctly encoded.

Is there any way how to configure Cognito so it properly encode query parameter values before redirecting browser to my redirect URL?

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
rePost-User-8717146
asked a year ago525 views
1 Answer
0

Hello,

I understand from your query that you found that LOGIN [1] endpoint's response is URI decoding your state parameter from "%3D" to "=". However, your framework with Springboot requires/expects "%3D" to come back, and not an "=" and presence of "=" in your state is prompting an error with your framework. Additionally, AUTHORIZATION [2] endpoint is working fine which returns back the "%3D" meaning it keeps the encoding intact.

Based on your comments, I was able to replicate the same by capturing two HAR [3] files (in Chrome browser) for logging the LOGIN flow vs AUTHORIZATION Flow in us-east-1 region

  • With LOGIN flow, the response has decoded %3D to = for the state parameter.
  • However, with AUTHORIZATION flow, the %3D remained intact in response as well.

Hence, I checked in with the Cognito service team internally on your behalf, but they currently require your AWS account information alongside the UserPool information to help us assist you on this query. However, please do not post any such sensitive information over re:Post since this is a public platform.

Therefore, I would like to request you to log a support case directly with our Premium Support team, who can help you in getting the requested information to the service team securely.

As always, feel free to reach back out with any further questions or concerns in the meantime!

References:

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html

[2] https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

[3] https://aws.amazon.com/premiumsupport/knowledge-center/support-case-browser-har-file/

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content