CODEWITHSUNDEEP
azureoauthactive-directoryoauth-2.0
Hritcu Andrei
Hritcu Andrei

Reputation: 172

Azure Active Directory OAuth 2.0 Authorization gives Bad Request

When requesting an authorization code, if the state url parameter has following value, https://login.microsoftonline.com/oauth2/authorize gives me a Bad Request. 

state=%3C%3CMULE_EVENT_ID%3D0-6cadfe22-e9ea-11e6-99ff-205120524153%3E%3E

If I remove the encoded values: << and >>, it works well. Currently I have some limitations and I cannot remove those values.

In the documentation is says that "state" is a value included in the request that will also be returned in the token response. It can be a string of any content that you wish.

Upvotes: 2

Views: 408

Answers (2)

Ed Huber
Ed Huber

Reputation: 116

The double << >> appears to be semantically incorrect, although those characters are allowed in https://www.rfc-editor.org/rfc/rfc6749#appendix-A.5 (referencing ABNF syntax for that field, which is essentially all printable characters including space, VSCHAR, https://www.rfc-editor.org/rfc/rfc5234).

However, when we look at the intended use of the state field, it is to be used to send a token back from the service, for your application to be able to validate the local state to avoid CSRF attacks.

In most cases, a short string should suffice, and you will probably do yourself a favor if you keep the string short, saving bytes on the wire and additional parsing overhead.

There is a good overview of using the oauth2 endpoint with here (admittedly with Bing Ads, but the principals and advice are applicable to this case):

https://msdn.microsoft.com/en-us/library/bing-ads-user-authentication-oauth-guide.aspx

If I can find the exact restrictions on the state field, I shall update my answer.

Upvotes: 2

juunas
juunas

Reputation: 58898

Well, the documentation seems a bit wrong then. I tested various state strings, and what makes it fail consistently is starting the state string with %3C. So a less-than sign is fine in some places in the string.

EDIT: There is something really odd going on.

This fails:

state=MUL%3CE_EVENT_ID%3D0-6cadfe22-e9ea-11e6-99ff-205120524153%3E%3E

But this works:

state=MULE%3C_EVENT_ID%3D0-6cadfe22-e9ea-11e6-99ff-205120524153%3E%3E

But this also fails:

state=MULE_%3CEVENT_ID%3D0-6cadfe22-e9ea-11e6-99ff-205120524153%3E%3E

My theory is that it doesn't allow anything that looks like a valid HTML tag. That's why it would allow %3C_....%3D, but *%3Ca%3e is not. You can replace a with any characters a-z. So HTML elements are a no-no :)

Upvotes: 1

Related Questions