Nest API Corrupts OAuth 2.0 State Parameter

Question

I'm using Nest as an Authentication Provider for Salesforce, with the intention of calling the Nest API from Force.com. The problem I have is that Nest corrupts the state parameter during the OAuth 2.0 flow.

This is the redirect from Salesforce to Nest. I've inserted line breaks for clarity:

https://home.nest.com/login/oauth2?
    response_type=code&
    client_id=16188153-52f1-4ac9-93ee-83ccab5cbd2f&
    redirect_uri=https%3A%2F%2Flogin.salesforce.com%2Fservices%2Fauthcallback%2F00DE0000000cjOBMAY%2FNest&
    state=jMG%2F2bzDEPisWyKsH7yVPHCrHdHxRAzYhG3Aq7VBF%2FrBLmW49eGj3DEzCLg0aGIvbOadXUxf1pwiDIPupqOMTZ%2BQbuThvTf58y2zXHwDNcoAvg%3D%3D

Note the 'percent encoding' in the state parameter

This is the redirect back to Salesforce:

https://login.salesforce.com/services/authcallback/00DE0000000cjOBMAY/Nest?
    state=jMG/2bzDEPisWyKsH7yVPHCrHdHxRAzYhG3Aq7VBF/rBLmW49eGj3DEzCLg0aGIvbOadXUxf1pwiDIPupqOMTZ+QbuThvTf58y2zXHwDNcoAvg==&
    code=UCMG2TEF9S69CQX2

Notice, state is no longer URL encoded. And, in particular, since it contains a + character, when Salesforce decodes it, that + is interpreted as a space, and the state doesn't match what Salesforce sent, so authentication fails.

Nest - please fix this!

StackOverflow is not a place for bug reports, Nest provides other channels like the Nest community and email for reporting issues. — David W. Keith, Oct 01 '14 at 12:14
Cool - wasn't aware of that. https://developer.nest.com/ only mentions StackOverflow. — metadaddy, Oct 01 '14 at 21:36

Nest API Corrupts OAuth 2.0 State Parameter

0 Answers0