I'm using OIDC login with AuthorizationCode flow, and everything works fine, except I have to pass some parameters in the redirect URI.
OIDC authentication tokens (code, state) are passed in POST.
In the Querystring of the redirect URI, I pass some url-encoded parameters, e.g.:
https://test.auth0.com/authorize?response_type=code&
nonce=...&
state=...&
code_challenge=...&
code_challenge_method=S256&
client_id=...&
scope=openid%20profile%20email%20api&
response_mode=form_post&
redirect_uri=http%3a%2f%2flocalhost%3a60000%2fDefault.aspx%3fAppToOpen%3dA01
Correctly calls me back to:
http://localhost:60000/Default.aspx?AppToOpen=A01
Passing one parameter is fine, but when I send more than one:
https://test.auth0.com/authorize?response_type=code&
nonce=...&
state=...&
code_challenge=...&
code_challenge_method=S256&
client_id=...&
scope=openid%20profile%20email%20api&
response_mode=form_post&
redirect_uri=http%3a%2f%2flocalhost%3a60000%2fDefault.aspx%3fAppToOpen%3dA01%26BodCode%3DSO_2
It redirects to this URL:
http://localhost:60000/Default.aspx?AppToOpen=A01&BodCode=SO_2
As you can see, %26 is correctly decoded to &, but then is encoded to &.
How to avoid that re-encoding?
Or, is it possible to have some parameters passed in POST instead?