@@ 23,6 23,7 @@ import (
"fmt"
"math/big"
"net/http"
+ "net/url"
"time"
"go.bigb.es/auxilia/culpa"
@@ 349,11 350,14 @@ func (s *Stub) handleAuthorize(w http.ResponseWriter, r *http.Request) {
code := s.codes.Issue(s.devStubUser, codeChallenge, redirectURI, 5*time.Minute)
- location := redirectURI + "?code=" + code
+ // Per RFC 6749 §4.1.2, the redirect Location's query parameters must be
+ // properly percent-encoded. The current SPA only emits URL-safe chars,
+ // but PC1 requires literal RFC compliance for real-OP parity.
+ out := url.Values{"code": {code}}
if state != "" {
- location += "&state=" + state
+ out.Set("state", state)
}
- http.Redirect(w, r, location, http.StatusFound)
+ http.Redirect(w, r, redirectURI+"?"+out.Encode(), http.StatusFound)
}
// handleToken implements the token endpoint (RFC 6749 §4.1.3, RFC 7636 §4.6).