lelylan/simple-oauth2

When authorizePath contains query parameters, authorizeURL creates an invalid URL

thesuavehog opened this issue · 1 comments

thesuavehog commented

simple-oauth2/lib/authorization-code-grant-type.js

Line 36 in 472546f

return `${url}?${querystring.stringify(parameters.toObject())}`;

Some OAuth2 providers require additional parameters in the query string - for example, audience is required by Auth0 to get a JWT instead of an opaque token value. The current code creates an invalid URL if there is already a ? (i.e. query parameters) on the path.

Suggested change: use '&' if url contains a ? already, otherwise use ?
This is safe because ? (unencoded) is only value in one location in the URL (so there should be no case where there is an existing ? which is not in the position of separating the path and query parameters in the url).

thesuavehog commented

Nevermind, the issue is in the types library for this module which does not allow for arbitrary parameters to be passed to authorizeURL even though the simple-oauth2 supports it