Okta Cookie `okta-oauth-redirect-params` invalid according to HTTP spec


I know it’s common for people to loads of stuff in cookies, but I struggled a bit with an Okta cookie today, okta-oauth-redirect-params, while working on a web server in Python. This is because this cookie’s value is JSON, and the Python webserver uses a Python (3.8) standard library module http.cookies to parse cookies. This results in everything after the okta-oauth-redirect-params cookie being unavailable to my server.

Here’s an example:

In [1]: import http.cookies

In [2]: cookieval = """okta-oauth-nonce=validAsciiblabla; okta-oauth-state=validAsciiBlabla; okta-oauth-redirect-params={"respon
   ...: seType":"code","state":"somestate","nonce":"somenonce","scopes":["openid","profile","email","phone"],"urls":{"issuer":"h
   ...: ttps://subdomain.okta.com/oauth2/authServer","authorizeUrl":"https://subdomain.okta.com/oauth2/authServer/v1/authorize",
   ...: "userinfoUrl":"https://subdomain.okta.com/oauth2/authServer/v1/userinfo"}}; importantCookie=importantValue; sessionCooki
   ...: e=importantSessionValue"""
   ...: cookie = http.cookies.SimpleCookie()
   ...: cookie.load(cookieval)
   ...: cookie.keys()
Out[2]: dict_keys(['okta-oauth-nonce', 'okta-oauth-state'])

The problem is that only the first two cookies are retrievable by my application because everything afterward is thrown away when parsing fails.

This application is a simple backend web application with the embedded Okta sign-in widget. Is there some way to prevent the Sign-In widget from setting the okta-oauth-redirect-params or is there some way to tell Okta to base64 encoded it so that it doesn’t break cookie parsing further upstream?


Well, it turns out I was out of date on the spec. I will probably get this changed in the web framework I was using.