[Bug]: Hash state VS local state validation does not work when using special characters

[Salketer]

Version

18.0.2

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

[DEBUG] google - ValidateStateFromHashCallback failed, state: d%7C1 local_state:d|1

Steps to reproduce the behavior

use setState("anything|with specialchar");
login using provider.

A clear and concise description of what you expected to happen.

When reading the state from the querystring, it is URI encoded and directly compared to the original value. It should be decoded before comparing.

Additional context

No response

[FabianGosebrink]

Thanks for that bug. Which lines are you referring to?

[Salketer]

Hello Fabian, I wasn't referring to any line of code as I did not check the source. The error message was enough to hint at what was happening. I'll try to dig deeper later today if you want.

[FabianGosebrink]

Ah, out of your message I though you might have analyzed the code already :D Sorry, I was wrong then. I will also have a look later. Help would be appreciated. Thanks!

[Salketer]

No worries,

So I found where it's coming from:

angular-auth-oidc-client/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts

Line 51 in c5437b3

!this.tokenValidationService.validateStateFromHashCallback(

Here the test is executed. I followed the trail up to where callbackContext.authResult?.state is defined and it seems to be from

angular-auth-oidc-client/projects/angular-auth-oidc-client/src/lib/flows/callback-handling/code-flow-callback-handler.service.ts

Line 27 in c5437b3

codeFlowCallback(

Weird thing is that it looks like the parameters are correctly sanitized...