Environment
- Access Manager 4.5.0
- Access Manager 4.5.1
- Access Manager 4.5.2
- Access Manager 4.5.3
- Access Manager 4.5.4
Situation
- Access Manager 4.5.3
- OAuth Client using grant flow
- OAuth Client uses HTTP GET / URL Query Parameters for Grant Request
- state parameter includes URL encoded JSON: state={"Param":"1234"}'
Behavior:
IDP returns HTTP 400 Bad Request during parsing the state parameter
curl -v -b c -c c -k -G -d 'response_type=code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' -d 'client_secret=xxxxxxxx-xxxx' -d 'redirect_uri=https://XXX.XXX.XXX.XXX:8443/netiq-playground/oauth2client' --data-urlencode 'state={"Param":"1234"}' https://idpa.kgast.nam.com/nidp/oauth/nam/authz
* Trying XXX.XXX.XXX.XXX
* TCP_NODELAY set
* Connected to idpa.kgast.nam.com (XXX.XXX.XXX.XXX) port XXX(#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=idpa.kgast.nam.com; OU=Technical Services; O=Micro Focus; L=Duesseldorf; C=de
* start date: Oct 20 10:12:27 2020 GMT
* expire date: Oct 20 10:12:27 2024 GMT
* issuer: OU=Organizational CA; O=nam40_tree
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /nidp/oauth/nam/authz?response_type=code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx&client_secret=omdGIgupEoQy7M87G8QztssYxuCUAOm3El5TRsTFMbxlJk0-OYAoNxFo82LL-jfHlkr36n9PEpMij5xas-ifPw&redirect_uri=https://192.168.0.195:8443/netiq-playground/oauth2client&state=%7B%22Param%22%3A%221234%22%7D HTTP/1.1
> Host: idpa.kgast.nam.com
> User-Agent: curl/7.65.0
> Accept: */*
> Cookie: _PA_SDK_SSO_=U4zbqX5mS7feaaboY8xquH5Pddpj/0U+aRXCno22ACIw/nm8SxHjDsIe48TVpaIh/NXO2FDf0lX90Uwwn4uwNDW+/vvbDPeyrAUo9MRqtxmiTIIOQBbEGUAYZSjzO6MJ7ssH3apxGjOy4Xn49Z2VHW7gXk+HFoz24gPktg+YNE91PniNgXGeZZPvh+ucMlpksSIhQVlp27sUaT/TzG7/+bgzFi/ggzy8uI0woZ5NXXSnTCDEYW4D3SIM9AxaZ4C8I/gwjmewF3LG5XZV3WEv8taQ/yEhdBdMJl9Ig2vfOcw=; UrnNovellNidpClusterMemberId=~XX~XXXXX~XX~XX~XXXXX~XX~XX; JSESSIONID=2E2F6A155CAB897F483EADAC01B52BC1
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400
< X-FRAME-OPTIONS: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
< Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
< Access-Control-Allow-Credentials: true
< Content-Type: text/plain
< Content-Length: 584
< Date: Fri, 19 Feb 2021 08:50:57 GMT
< Connection: close
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
Illegal character """ at position 473 is not allowed as a start of a name in a path template "code=/wEBAAQEACBNWI0QadxqF/OEzYEgVR/pjZ0g856AvVNdWNwZIUMOq1ov1w2L@5SKg1yv9jbgWsvWN2GIEAKqox5zdIupQcNxdei2bHmZ4gbwNSBFrd/JJ5n8fa5SydEcYdq4XFZgVw3aq8wKTuPJR36jk026ti3qbgOpC3D66PScKI7HuPsGOEsYa2t3XI/zYIFvKo/tG9XgfXSLFEAuFk4KuO2cbPOFcUVqyt5e@eKc4kaevgheIxfZqZKjsrjc0YfEBd1LJ5MWFXxFDXXYkYk2Z3Tlp88n4YzEsENFSc2ISboUqQQyIa0gSGxtHJL7dohsF@xW9zzuqAa9vuKSRyVecaQ7sXB7sHXhQzpuTcMlrrhtit@y16ncqEQSHwk2eXBFdxbwRTFEcnap7KnMcLXiMVv/6a5FLKvdmU0b9AvjKsMYerzgyLE4JU@MkboldK4s8rXObfM~&state={"Param":"1234"}".