Unable to authenticate via OAuth if there are query parameters in the redirect_url field
Summary
Going through the OAuth flow with a redirect_uri that contains query parameters such as http://localhost?abc=def
is not possible.
https://gitlab.com/gitlab-org/gitlab-ce/commit/6ad1b988678b33e7079f1b1558a0e2a74fb8e600 upgraded the version of doorkeeper to 4.3.1, which has this issue: https://github.com/doorkeeper-gem/doorkeeper/issues/1065. Apparently, it is fixed in 4.3.2.
Steps to reproduce
-
Create a new account on gitlab.com.
-
Create a new oauth application under the new account, and set the redirect uri to something like
http://localhost
. -
Run this bash script, going to the URL printed and entering the access code given in the redirect.
CLIENT_ID=XXX CLIENT_SECRET=YYY CALLBACK_URL=http://localhost AUTH_URL="https://gitlab.com/oauth/authorize?client_id=$CLIENT_ID&redirect_uri=$CALLBACK_URL&response_type=code" echo $AUTH_URL echo -n "Enter access code: " read ACCESS_CODE curl -G -X POST "https://gitlab.com/oauth/token" \ --data client_id=$CLIENT_ID \ --data client_secret=$CLIENT_SECRET \ --data grant_type=authorization_code \ --data code=$ACCESS_CODE --data-urlencode redirect_uri=$CALLBACK_URL
It should work and get a valid OAuth token.
4. Change CALLBACK_URL
to http://localhost?abc=def
. Now it won't work.
What is the current bug behavior?
It should be possible to go through the OAuth flow with a redirect uri with query parameters.
What is the expected correct behavior?
The server returns a 401 error with invalid_grant
.
Output of checks
This bug happens on GitLab.com
Possible fixes
Upgrade doorkeeper
to 4.3.2.