[Openid-specs-ab] Issue #1202: Suggested OP iframe javascript suggests a wrong split (openid/connect)
Tapter
issues-reply at bitbucket.org
Tue Dec 15 12:54:32 UTC 2020
New issue 1202: Suggested OP iframe javascript suggests a wrong split
https://bitbucket.org/openid/connect/issues/1202/suggested-op-iframe-javascript-suggests-a
Matthias Keller:
In #917 a correction was applied, that the session state must not contain spaces in order to be able to perform a correct split of the event data.
However, the suggested javascript code does it the wrong way if the client\_id contains space\(s\). Then it would split at the first space, resulting in both wrong client\_id and wrong session\_state.
Example event data string that would break the suggested implementation \(client\_id is “my client”\):
```
my client 789080e03c593a07419ad4c08bebd8e3e28909e173191b018ec24271b87cdc6c.ruyies1xuF
```
This would result in client\_id=”my” and session\_state=”client”.
### Suggested fix:
Current version \(30\):
```
var client_id = e.data.split(' ')[0];
var session_state = e.data.split(' ')[1];
```
Replace with:
```javascript
var client_id = e.data.substr(0, e.data.lastIndexOf(' '));
var session_state = e.data.substr(e.data.lastIndexOf(' ') + 1);
```
More information about the Openid-specs-ab
mailing list