Stripe do not follow rfc6749 OAuth 2 specification in case of rejection by user
marco-sacchi opened this issue · 1 comments
Describe the bug
I don't know if this is the right place to open this issue, but since I use the PHP SDK I thought it appropriate to do it here.
Stripe do not follow RFC 6749 section 4.1.2 in the case of authorization rejected by the user. The state parameter is required in the response if the client_id and redirect_uri in the request are both valid (see also section 4.1.2.1), I quote:
If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirection URI using the
"application/x-www-form-urlencoded" format, per Appendix B:....
state
REQUIRED if a "state" parameter was present in the client
authorization request. The exact value received from the
client.....
Consider implementing the specification according the RFC6749, otherwise cross-site request forgery cannot be verified.
To Reproduce
- paste an authorization url into your browser like:
https://marketplace.stripe.com/oauth/v2/authorize?client_id=${clientId}&redirect_uri=${redirectUrl}&state=${state} - click "Cancel" on the Stripe authorization page
- the URL to which the browser is redirected does not have the
stateparameter:https://*********/oauth2?error=access_denied&error_description= The+user+denied+your+request
Expected behavior
state parameter must be returned unchanged.
Code snippets
No response
OS
Ubuntu 22.04.4 LTS
PHP version
PHP 7.3
Library version
stripe-php v13.10.0
API version
2023-10-16
Additional context
No response
@marco-sacchi Thanks for the detailed report! Unfortunately, stripe-php is not relevant in this flow and the problem seems to be during the installation of a Stripe App. I'll flag internally but I'd recommend moving your bug report to https://github.com/stripe/stripe-apps instead