I made a stupid bug today and I managed to provide two state parameters to the /authentication endpoint like this:
GET https://edument.eu.auth0.com/authorize?scope=name+email+profile+openid+offline_access
&response_type=code+token+id_token
&client_id=xxxxxxxxxxx
&state=23453
&redirect_uri=https://localhost:5001/HybridFlow/callback
&state=44333
&nonce=43781 HTTP/1.1
And in the response back I got the two state parameters back:
https://localhost:5001/HybridFlow/callback
#access_token=xxxxxxxxxxxxxxxxxxxxxxx
&scope=openid%20profile%20email%20offline_access
&expires_in=7200
&token_type=Bearer
&state=23453
&state=44333
&code=uL_XilaYQScwnxTT
&id_token=xxxxxxxxxxx.xxxxxxxxxxxxx.xxxxxxx-xxxxxxxxxxxxx-g
Vary: Accept
I would expect as state is somewhat important parameter, that you would reject an authentication request with duplicate state values. Then of course the issue is if the second provided state parameter is considered as part of the redirect_uri or not. Perhaps a potential theoretical security issue?