Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Location header returns / path if /authenticate-code/callback is called when Login URL contains a (.) (dot) in parameters #56

Open
amitagrawal11 opened this issue Dec 22, 2022 · 1 comment
Open

Location header returns / path if /authenticate-code/callback is called when Login URL contains a (.) (dot) in parameters #56

amitagrawal11 opened this issue Dec 22, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@amitagrawal11
Copy link

amitagrawal11 commented Dec 22, 2022
edited
Loading

Describe the bug?

Location gets empty path if /authenticate-code/callback is called when Login URL contains a (.) (dot) in parameters.

When unauthenticated users tries to ping url ( https://example.com/software/1.2.3 ) in the browser, normal oidc login flow starts and /autheticated-code/callback gets called once user is authenticated in OKTA but location header in /authenticate-code/callback response gets blank ( / ). Means Location header in response returns / instead of returning /software/1.2.3.

Refer to the attached screenshot below.

However, if url does not contain any (dot) then exact location header are received.

What is expected to happen?

Expected behaviour is to receive in location header in /authenticate-code/callback response the exact value whatever is passed in the path parameter of the url. Means even if url contains (dot) in path parameters, exact path parameter value should receive in location header.

eg.

if user pings login url
https://example.com/test/1.2.3

then /authenticate-code/callback should return
Location: /test/1.2.3

What is the actual behavior?

But in actual, location header is being returned / instead of /test/1.2.3
eg.

if user pings login url
https://example.com/test/1.2.3

then /authenticate-code/callback returns
Location: /

Reproduction Steps?

You just need to add path parameters which contains (.) (dot) in login url such as https://example.com/test/1.2.3 and notice when /authenticate-code/callback is called and check location header in the response, it would be empty ( / ).

SDK Versions

"@okta/oidc-middleware": "5.0.0",

Execution Environment

Platform: NodeJS
OS: Windows, Mac

Additional Information?

No response
@amitagrawal11 amitagrawal11 added the bug Something isn't working label Dec 22, 2022
@denysoblohin-okta
Copy link
Contributor

denysoblohin-okta commented Jan 25, 2023
edited
Loading

Can you please post options you pass to ExpressOIDC constructor? Do you have custom configuration for routes.loginCallback?

I am not sure dots are the reason for your issue.
Are you still being redirected to / if you go to /test/123?

Also what are your options for express-session?
Please provide any other sample code/configs that can help us to reproduce your issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amitagrawal11 @denysoblohin-okta