Skip to content

fix(auth0-express): reserve OIDC Request-Object params in login handler#25

Open
frederikprijck wants to merge 1 commit into
mainfrom
fix/sdk-2-reserved-oauth-params
Open

fix(auth0-express): reserve OIDC Request-Object params in login handler#25
frederikprijck wants to merge 1 commit into
mainfrom
fix/sdk-2-reserved-oauth-params

Conversation

@frederikprijck

@frederikprijck frederikprijck commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

filterAuthorizationParams forwarded any query param to startInteractiveLogin's authorizationParams unless reserved. The reserved set did not include the OIDC Request-Object params, so a crafted login link (/auth/login?request_uri=https://attacker/obj) could submit a Request Object to /authorize carrying its own parameters.

Changes

Added request, request_uri, id_token_hint, claims, response_mode to RESERVED_OAUTH_PARAMS.

prompt and login_hint are intentionally left forwardable — integrators commonly pass them on purpose. A guard test locks that in.

Tests

login-handler.spec.ts: new blocklist cases for the five params + a guard that prompt/login_hint still forward. Suite green.

Adds request, request_uri, id_token_hint, claims and response_mode to
the reserved OAuth params so a crafted login link cannot forward them to
/authorize. prompt and login_hint remain forwardable by design.

SECURITY: SDK-2 — widened authorize-request surface (CWE-601/CWE-235).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant