Oauth State parameter with special character being altered

Ericaf — Fri, 14 Dec 2018 18:35:31 GMT

I am working on adding Oauth support to my Authorize.net API integration. My existing system has logic in place to use the "state" parameter both to validate and redirect users to the necessary page after requesting the initial token. I am looking to reuse this method that works for several other of our Oauth integrations and as such it's not simple to change. In testing Authorize.net's oauth, special characters seem to be getting stripped out from the state param, notably the "^" character. I have tested encoding and escaping it in the URL in different ways but this seems to either have no effect or causes an error.

As an example, we are redirecting the user to:

https://sandbox.authorize.net/oauth/authorize?sub=oauth&client_id=clientId&redirect_uri=https%3a%2f%2fwww.myhost.com%2fapp%2fredirectOauthToken&scope=read%2cwrite&state=stateInfo1^stateInfo2

(note the param "state=stateInfo1^stateInfo2")

but at the end they get redirected back to

https://www.myhost.com/app/redirectOauthToken?code=xxxx&state=stateInfo1stateInfo2

(note the param "state=stateInfo1stateInfo2")

Note the state param is missing the "^" between "stateInfo1" and "stateInfo2". We have tried passing the ^ as shown as well as URL encoding it to %5E, escaping it with slashes, etc. I tested passing state=stateInfo1%20stateInfo2, and in the redirect back to us the state param was "state=stateInfo1 stateInfo2" with the space, but %5E just gets removed as shown above.

Is there a way to get the Redirect URI to be followed and keep the state param value unchanged?

topic Oauth State parameter with special character being altered in Integration and Testing

Oauth State parameter with special character being altered