VerifyAssertion does not fail when return URL with different parameter is provided.

[OndrishD]

There is a bug on line 994 in openid.js

The foreach iterator for query parameters is checking for different values on receivedReturnUrl and assertionUrl which is the same URL as receivedReturnUrl was constructed from assertionUrl. Therefore it always evaluate to FALSE and fails to detect if query parameters of return url are mismatched.

for (var param in receivedReturnUrl.query) {
    // THIS IS ALWAYS FALSE
    if (hasOwnProperty(receivedReturnUrl.query, param) && receivedReturnUrl.query[param] !== assertionUrl.query[param]) {
      return false;
    }
  }

I think the intended code was meant to be as follows:

for (var param in originalReturnUrl.query) {
    if (hasOwnProperty(receivedReturnUrl.query, param) && receivedReturnUrl.query[param] !== originalReturnUrl.query[param]) {
      return false;
    }
  }

[havard]

Yes, it seems you are correct. Would you care to make a PR? I'd be happy to review and pull.

[RomenPoirierTaksev]

Hello! im still having this issue today. Any chance I can open a PR and get this through?

[havard]

Sure!