0

I need to construct a custom request_uri for an implementation of Spring OAuth2. What specific code should be used to properly encode each of the parameters in the request_uri?

The full, unencoded, request_uri is as follows, but is resulting in an error that indicates that a token is not granted:

http://localhost:9999/uaa/oauth/authorize?client_id=acme  
&redirect_uri=http://localhost:8080/login&response_type=code  
&state=13ab71ae-c8ed-4370-a60f-dd7fe47ed763

As you can see, the individual parameters are:

client_id=acme  
redirect_uri=http://localhost:8080/login  
response_type=code  
state=13ab71ae-c8ed-4370-a60f-dd7fe47ed763

And the code that was used to construct the above request_uri is:

CsrfToken csrf = (CsrfToken) attr.getRequest().getAttribute(CsrfToken.class.getName());
String attrToken = csrf.getToken();
authorizationRequest.setState(attrToken);
String newRequestUri = "http://localhost:9999/uaa/oauth/authorize?";
String clientId = authorizationRequest.getClientId();
newRequestUri = newRequestUri + "client_id=" + clientId;
String redirectUri = authorizationRequest.getRedirectUri();
newRequestUri = newRequestUri + "&redirect_uri="+redirectUri;
Set<String> respTypes = authorizationRequest.getResponseTypes();
String respType = respTypes.iterator().next();//this plucks the first one, but is not safe for when there is a list.
newRequestUri = newRequestUri +"&response_type="+respType;
String state = authorizationRequest.getState();
newRequestUri = newRequestUri + "&state="+state;
attr.setAttribute("javax.servlet.forward.request_uri", newRequestUri, RequestAttributes.SCOPE_REQUEST);
//now re-set the request attributes to reflect the changes we just made
RequestContextHolder.setRequestAttributes(attr);

More specifically, this OP asks what syntax should be used to encode the following string values in the code above: newRequestUri, clientId, redirectUri, respType, and state.

The Official OAuth2 Spec says you can use the application/x-www-form-urlencoded Content-Type and UTF-8 encoding, but then also gives this example:

/authorize?response_type=code&client_id=s6BhdRkqt3
&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Similarly, the Spring OAuth2 Developer Guide only contains one use of the word encode.

Community
  • 1
  • 1
CodeMed
  • 9,527
  • 70
  • 212
  • 364

1 Answers1

0

Seems you are looking for what is commonly called percent-encoding or URL-encoding. There are functions for this in almost every language's HTTP library, either for a single value or for a set of key-value pairs.

In practice application/x-www-form-urlencoded is almost the same as URL-encoded.

Pieter Ennes
  • 2,301
  • 19
  • 21
  • Thank you for looking into this. I guess I was looking for Java syntax to do the encoding. I got pulled into other tasks today, but I intend to revisit this later. – CodeMed May 20 '16 at 23:57