[Openid-specs-ab] Issue #1202: Suggested OP iframe javascript suggests a wrong split (openid/connect)

Tapter issues-reply at bitbucket.org
Tue Dec 15 12:54:32 UTC 2020

New issue 1202: Suggested OP iframe javascript suggests a wrong split

Matthias Keller:

In #917 a correction was applied, that the session state must not contain spaces in order to be able to perform a correct split of the event data.

However, the suggested javascript code does it the wrong way if the client\_id contains space\(s\). Then it would split at the first space, resulting in both wrong client\_id and wrong session\_state.

Example event data string that would break the suggested implementation \(client\_id is “my client”\):

my client 789080e03c593a07419ad4c08bebd8e3e28909e173191b018ec24271b87cdc6c.ruyies1xuF

This would result in client\_id=”my” and session\_state=”client”.

### Suggested fix:

Current version \(30\):

    var client_id = e.data.split(' ')[0];
    var session_state = e.data.split(' ')[1];

Replace with:

    var client_id = e.data.substr(0, e.data.lastIndexOf(' '));
    var session_state = e.data.substr(e.data.lastIndexOf(' ') + 1);


More information about the Openid-specs-ab mailing list