Unable to authenticate via OAuth if there are query parameters in the redirect_url field
Going through the OAuth flow with a redirect_uri that contains query parameters such as
http://localhost?abc=def is not possible.
https://gitlab.com/gitlab-org/gitlab-ce/commit/6ad1b988678b33e7079f1b1558a0e2a74fb8e600 upgraded the version of doorkeeper to 4.3.1, which has this issue: https://github.com/doorkeeper-gem/doorkeeper/issues/1065. Apparently, it is fixed in 4.3.2.
Steps to reproduce
Create a new account on gitlab.com.
Create a new oauth application under the new account, and set the redirect uri to something like
Run this bash script, going to the URL printed and entering the access code given in the redirect.
CLIENT_ID=XXX CLIENT_SECRET=YYY CALLBACK_URL=http://localhost AUTH_URL="https://gitlab.com/oauth/authorize?client_id=$CLIENT_ID&redirect_uri=$CALLBACK_URL&response_type=code" echo $AUTH_URL echo -n "Enter access code: " read ACCESS_CODE curl -G -X POST "https://gitlab.com/oauth/token" \ --data client_id=$CLIENT_ID \ --data client_secret=$CLIENT_SECRET \ --data grant_type=authorization_code \ --data code=$ACCESS_CODE --data-urlencode redirect_uri=$CALLBACK_URL
It should work and get a valid OAuth token.
http://localhost?abc=def. Now it won't work.
What is the current bug behavior?
It should be possible to go through the OAuth flow with a redirect uri with query parameters.
What is the expected correct behavior?
The server returns a 401 error with
Output of checks
This bug happens on GitLab.com
doorkeeper to 4.3.2.