Skip to content

generateUserAuthorizationUrl corrupts the state parameter in 1.1.10-RELEASE #3

Description

@rolandkreuzer

Summary

In the published 1.1.10-RELEASE artifact, OAuth2Api.generateUserAuthorizationUrl(env, scopes, state) appends auth_type=oauth to the authorization URL without a & separator when a state is supplied. The result is that auth_type=oauth gets glued onto the end of the state value.

Affected version

com.ebay.auth:ebay-oauth-java-client:1.1.10-RELEASE (latest on Maven Central)

Behavior

Calling generateUserAuthorizationUrl(env, scopes, Optional.of("<state>")) produces:

...&scope=<scope>&state=<state>auth_type=oauth

instead of the expected:

...&scope=<scope>&state=<state>&auth_type=oauth

Because there is no &, the OAuth state value that eBay receives (and echoes back on the redirect) becomes <state>auth_type=oauth rather than <state>. Any downstream code that correlates the callback by the original state value no longer matches, breaking the authorization flow.

The bug only manifests when a state is present. With no state, the trailing & from the scope= segment happens to make the URL well-formed, which likely masked it.

Already fixed in source, but not released

The current source on the default branch already has the fix (trailing & after state):

sb.append("scope=").append(scope).append("&");
if (state.isPresent()) {
    sb.append("state=").append(state.get()).append("&");
}
sb.append("auth_type=oauth");

However, this fix is not included in the artifacts published on Maven Central.

Could you please publish a new release from the current source so downstream projects can consume the fix? Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions