Skip to content

fix URL injection via unencoded token in the user-info endpoint#434

Open
cportele wants to merge 1 commit into
masterfrom
encode-token
Open

fix URL injection via unencoded token in the user-info endpoint#434
cportele wants to merge 1 commit into
masterfrom
encode-token

Conversation

@cportele

Copy link
Copy Markdown
Contributor

TokenAuthenticator interpolated the client-supplied bearer token into the configured user-info endpoint URL without URL-encoding, so a crafted token could inject extra query parameters or path segments into the outbound request. URL- encode the token before substitution; the raw token is still sent in the Authorization header. A normal base64url JWT is unaffected.

Adds TokenAuthenticatorSpec.

TokenAuthenticator interpolated the client-supplied bearer token into the
configured user-info endpoint URL without URL-encoding, so a crafted token could
inject extra query parameters or path segments into the outbound request. URL-
encode the token before substitution; the raw token is still sent in the
Authorization header. A normal base64url JWT is unaffected.

Adds TokenAuthenticatorSpec.
@cportele cportele requested a review from azahnen as a code owner July 13, 2026 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant