Search code examples
google-oauth

URL encoding of the state parameter for Google oauth2 gets decoded during redirect

I'm doing the initial authorization for Google Drive access. I want to pass a full URL in the "state" parameter so I can do an additional redirect from the page name I send over in "redirect_uri". So my request URL looks like this...

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=000000000000.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fmy.server.com%2Fx%2Fws-catch.php&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&access_type=offline&state=https%3a%2f%2fmy.server.com%2fRoot%2fDirectory%2fGoogle.php%3fpid%3dc907a55c-87f8-4ba8-8a16-478a9e6cba70%26prov%3dsrv50758c7a0cfcd6.527662862

Notice the "state" parameter is URL encoded. The Google documentation says that this parameter is round tripped so that I get the value I passed in. However, the state parameter appears to get partially decoded by the time it reaches the page specified in "redirect_uri". Here is where the browser goes when I deny the auth request...

https://my.server.com/x/ws-catch.php?error=access_denied&state=https://my.server.com/Root/Directory/Google.php?pid%3Dc907a55c-87f8-4ba8-8a16-478a9e6cba70%26prov%3Dsrv50758c7a0cfcd6.527662862

Notice the unencoded "?" character now in the "state" parameter. Is this a problem with Google when it redirects? I read one post that suggested base64 encoding the parameter which I can do but I wanted to understand why it wasn't working with URL encoding.

***edit

Here is the raw 302 from Google. Should be the same URL as pasted above.

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 14 Feb 2013 16:23:37 GMT
Location: https://my.server.com/x/ws-catch.php?error=access_denied&state=https://my.server.com/Root/Directory/Google.php?pid%3Dc907a55c-87f8-4ba8-8a16-478a9e6cba70%26prov%3Dsrv50758c7a0cfcd6.527662862
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 325
Server: GSE
Solution

  • URL encoding does not require encoding of '?' or ':' or '/' when appearing as query parameter values. So the responses generated by Google are correctly encoded and should not result in any parse errors on your server.