Avoid Using '&'reg_code in /authenticate Request clientless-avoid-using-reg_code-in-authenticate-request
Issue
The IE 9 browser interprets ‘®’ as a special command and converts it to ®.
Explanation
If the /authenticate
request is composed as follows…
<FQDN>authenticate? requestor_id=someRequestor®_code=EKAFMFI&domain_name=someRequestor.com&noflash=true&mso_id=someMvpd&redirect_url=someRequestor.redirect.url.html
…it will be interpreted by IE browser like below and will be sent to Adobe in this format:
<FQDN>authenticate?requestor_id=someRequestor®_code=EKAFMFI&domain_name=someRequestor.com&noflash=true&mso_id=someMvpd&redirect_url=someRequestor.redirect.url.html
The requestor_id will be interpreted as univision®_code=EKAFMFI, since there is no ‘&’, and Adobe will not find a regCode
param to associate the token with. There is a chance that the AuthN token will not be created at all, in which case /checkauthn
calls will fail to find any tokens.
Solution
One of the following options should solve this issue:
-
Avoid using the
®_code
param between the other query string params. Instead move it to the first query-string parameter in the request URL, making the request url like this:code language-none <FQDN>authenticate?reg_code =EKAFMFI&requestor_id=someRequestor&domain_name=someRequestor.com&noflash=true&mso_id=someMvpd&redirect_url=someRequestor.redirect.url.html
In this way, the
®
param will not be interpreted incorrectly. -
Normalize
®_code
as using&reg_code
. -
Adobe could introduce a new feature to send an error code back to the 2nd screen in response to an authentication call, if the AuthN token creation failed.