We recently discovered that your OAuth authorization process tacks on a “scope” query parameter to the
redirect_uri we provided during the “Request an Access Token” step. (P.S. This isn’t documented in Authentication Guide). The value of this parameter contains an unencoded pipe (i.e.
|) character, so it’s something like
scope=|wn255.infusionsoft.com. This caused issues for us because an unencoded pipe in a query parameter breaks AWS gateway rules for requests, and is blocked by the latest Tomcat by default as well. In the case of Tomcat, they do provide a config setting that allows pipe characters as a workaround:
However, as Tomcat’s configuration comment states, enabling that opens the Tomcat instance to be exploitable by CVE-2016-6816.
Can the Infusionsoft API devs make a change so that the query parameters attached to the
redirect_uri are always URL encoded? In this case, the
| character would be turned into
I submitted a ticket for this a couple of weeks back (case number 00962716), but I haven’t heard back about it, so I thought I’d try here.