- Version: 0.5.1
- Target: Windows, Mac, Linux
Summary
Since v0.5.0, opening an external URL in a BrowserWindow breaks any endpoint that does strict query-parameter validation, because Electron.NET appends its internal token parameter to every loaded URL — including third-party sites.
The most visible symptom is Google OAuth: the sign-in window loads and immediately shows:
Access blocked: Authorization Error
Parameter not allowed for this message type: token
Error 400: invalid_request
This worked correctly in v0.4.1 and broke in v0.5.0 with the introduction of the authentication token.
Root Cause
The authentication token added in 0.5.0 (to secure communication between the spawned Electron process and the .NET backend) is unconditionally appended to the initial URL of any window.
In src/ElectronNET.Host/api/browserWindows.ts (compiled browserWindows.js):
if (loadUrl) {
// Append authentication token to initial URL if available
const token = global["authToken"];
if (token) {
const separator = loadUrl.includes("?") ? "&" : "?";
window.loadURL(`${loadUrl}${separator}token=${token}`);
} else {
window.loadURL(loadUrl);
}
}So a URL like:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=...&scope=...&redirect_uri=...
becomes:
https://accounts.google.com/o/oauth2/v2/auth?...&token=<authToken>
Google (and any endpoint that validates allowed parameters) rejects the unexpected token parameter.
The token only needs to be attached to requests to the app's own .NET backend, not to arbitrary external URLs.
Steps to Reproduce
- Create a window that loads an external OAuth URL, e.g.:
await Electron.WindowManager.CreateWindowAsync(
new BrowserWindowOptions { Show = true, Width = 400, Height = 600 },
"https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=<your-client-id>&scope=openid%20email&redirect_uri=http%3A%2F%2F127.0.0.1%3A57693%2Fauth&response_mode=query");
- Run the app and observe the window.
Expected Behavior
The external URL is loaded exactly as provided (as in v0.4.1), and Google OAuth sign-in is displayed.
Actual Behavior
token=<guid> is appended to the URL and Google returns Error 400: invalid_request — "Parameter not allowed for this message type: token".
Suggested Fix
Only append the auth token for internal/app URLs (e.g. localhost / the configured electronUrl), and load external URLs unchanged.
Summary
Since v0.5.0, opening an external URL in a
BrowserWindowbreaks any endpoint that does strict query-parameter validation, because Electron.NET appends its internaltokenparameter to every loaded URL — including third-party sites.The most visible symptom is Google OAuth: the sign-in window loads and immediately shows:
This worked correctly in v0.4.1 and broke in v0.5.0 with the introduction of the authentication token.
Root Cause
The authentication token added in 0.5.0 (to secure communication between the spawned Electron process and the .NET backend) is unconditionally appended to the initial URL of any window.
In
src/ElectronNET.Host/api/browserWindows.ts(compiledbrowserWindows.js):So a URL like:
becomes:
Google (and any endpoint that validates allowed parameters) rejects the unexpected
tokenparameter.The token only needs to be attached to requests to the app's own .NET backend, not to arbitrary external URLs.
Steps to Reproduce
Expected Behavior
The external URL is loaded exactly as provided (as in v0.4.1), and Google OAuth sign-in is displayed.
Actual Behavior
token=<guid>is appended to the URL and Google returns Error 400: invalid_request — "Parameter not allowed for this message type: token".Suggested Fix
Only append the auth token for internal/app URLs (e.g. localhost / the configured
electronUrl), and load external URLs unchanged.