[Openid-specs-ab] Issue #1202: Suggested OP iframe javascript suggests a wrong split (openid/connect)

Tapter issues-reply at bitbucket.org
Tue Dec 15 12:54:32 UTC 2020


New issue 1202: Suggested OP iframe javascript suggests a wrong split
https://bitbucket.org/openid/connect/issues/1202/suggested-op-iframe-javascript-suggests-a

Matthias Keller:

In #917 a correction was applied, that the session state must not contain spaces in order to be able to perform a correct split of the event data.

However, the suggested javascript code does it the wrong way if the client\_id contains space\(s\). Then it would split at the first space, resulting in both wrong client\_id and wrong session\_state.

Example event data string that would break the suggested implementation \(client\_id is “my client”\):

```
my client 789080e03c593a07419ad4c08bebd8e3e28909e173191b018ec24271b87cdc6c.ruyies1xuF
```

This would result in client\_id=”my” and session\_state=”client”.

### Suggested fix:

Current version \(30\):

```
    var client_id = e.data.split(' ')[0];
    var session_state = e.data.split(' ')[1];
```

Replace with:

```javascript
    var client_id = e.data.substr(0, e.data.lastIndexOf(' '));
    var session_state = e.data.substr(e.data.lastIndexOf(' ') + 1);
```

‌




More information about the Openid-specs-ab mailing list