Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the pull request two main changes are proposed:
State Separator
In the library, the semicolon character is always used as a separator between nonce and additional state.
There is a bug in the Microsoft Azure B2C web page, the state parameter cannot contain semicolon character (encoded %3B).
Step to reproduce:
Go to Uri:
https://login.microsoftonline.com/te/fabrikamb2c.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize?client_id=fdb91ff5-5ce6-41f3-bdbd-8267c817015d&redirect_uri=https%3a%2f%2flocalhost%3a44316%2f&response_mode=form_post&response_type=code+id_token&scope=openid+profile+offline_access+https%3a%2f%2ffabrikamb2c.onmicrosoft.com%2ftasks%2fread+https%3a%2f%2ffabrikamb2c.onmicrosoft.com%2ftasks%2fwrite&state=some%3BState&nonce=someNonce
Click „Sign Up now”
You should see an error page.
Although it seems to be a Microsoft’s bug, still it would nice to have a possibility to customize this separator. This special character was already problematic once: #61
Getting additional state value when an error occurs (oauth failed).
The additional state value is extracted only for successful flow.
Some SPA might be interested to get state value even when an error occurs (it depends of the business logic in the application). I’m proposing to do the state parsing few lines earlier.