Summary
In the published 1.1.10-RELEASE artifact, OAuth2Api.generateUserAuthorizationUrl(env, scopes, state) appends auth_type=oauth to the authorization URL without a & separator when a state is supplied. The result is that auth_type=oauth gets glued onto the end of the state value.
Affected version
com.ebay.auth:ebay-oauth-java-client:1.1.10-RELEASE (latest on Maven Central)
Behavior
Calling generateUserAuthorizationUrl(env, scopes, Optional.of("<state>")) produces:
...&scope=<scope>&state=<state>auth_type=oauth
instead of the expected:
...&scope=<scope>&state=<state>&auth_type=oauth
Because there is no &, the OAuth state value that eBay receives (and echoes back on the redirect) becomes <state>auth_type=oauth rather than <state>. Any downstream code that correlates the callback by the original state value no longer matches, breaking the authorization flow.
The bug only manifests when a state is present. With no state, the trailing & from the scope= segment happens to make the URL well-formed, which likely masked it.
Already fixed in source, but not released
The current source on the default branch already has the fix (trailing & after state):
sb.append("scope=").append(scope).append("&");
if (state.isPresent()) {
sb.append("state=").append(state.get()).append("&");
}
sb.append("auth_type=oauth");
However, this fix is not included in the artifacts published on Maven Central.
Could you please publish a new release from the current source so downstream projects can consume the fix? Thank you!
Summary
In the published
1.1.10-RELEASEartifact,OAuth2Api.generateUserAuthorizationUrl(env, scopes, state)appendsauth_type=oauthto the authorization URL without a&separator when astateis supplied. The result is thatauth_type=oauthgets glued onto the end of thestatevalue.Affected version
com.ebay.auth:ebay-oauth-java-client:1.1.10-RELEASE(latest on Maven Central)Behavior
Calling
generateUserAuthorizationUrl(env, scopes, Optional.of("<state>"))produces:instead of the expected:
Because there is no
&, the OAuthstatevalue that eBay receives (and echoes back on the redirect) becomes<state>auth_type=oauthrather than<state>. Any downstream code that correlates the callback by the originalstatevalue no longer matches, breaking the authorization flow.The bug only manifests when a
stateis present. With nostate, the trailing&from thescope=segment happens to make the URL well-formed, which likely masked it.Already fixed in source, but not released
The current source on the default branch already has the fix (trailing
&afterstate):However, this fix is not included in the artifacts published on Maven Central.
Could you please publish a new release from the current source so downstream projects can consume the fix? Thank you!