We have several customers using the Microsoft OpenID Connect plugin to connect Moodle to our IdP service by having our endpoints set in the plugin configuration. After changes in our implementations we received several complains that authentication with Moodle via the Microsoft OpenID Connect plugin is no longer possible.
Users receive an error while loading the redirect URI:
There was a problem logging you in. Please contact your administrator for assistance.
We were able to track down the problem to the code parameter containing a correctly encoded colon (:) character.
RFC6749 "code" Syntax allows such a character in the code parameter:
VSCHAR = %x20-7E
[...]
A.11. "code" Syntax
The "code" element is defined in Section 4.1.3:
code = 1*VSCHAR
The code parameter is read via getoidcparam('code') and valided/sanitized by the regular expression preg_replace('/[^A-Za-z0-9\_\-\.\+\/\=]/i', '', $val).
A colon (:) should be allowed in validation.
We have several customers using the Microsoft OpenID Connect plugin to connect Moodle to our IdP service by having our endpoints set in the plugin configuration. After changes in our implementations we received several complains that authentication with Moodle via the Microsoft OpenID Connect plugin is no longer possible.
Users receive an error while loading the redirect URI:
We were able to track down the problem to the
codeparameter containing a correctly encoded colon (:) character.RFC6749 "code" Syntax allows such a character in the code parameter:
The code parameter is read via
getoidcparam('code')and valided/sanitized by the regular expressionpreg_replace('/[^A-Za-z0-9\_\-\.\+\/\=]/i', '', $val).A colon (
:) should be allowed in validation.