I just came across a problem, where Grant, an OAuth middleware was sometimes throwing an error redirecting back from google oauth endpoint to the middleware endpoint, although the authentication was successful.
After some research i realized, that if there is no active google session in the browser (not logged in with google.com), the query string of the redirect url is properly encoded and everything is working fine.
But if there is already a user logged in, the code parameter of the querystring is unencoded, which is throwing an malformed_auth_token error on my oauth middleware.
I further tested with different accounts, and every code token returned by google endpoint contained a forward slash as 2nd character.
So i would like to know, if google is bugged and incorrectly returning unencoded parameters, or if the oauth middleware should handle both cases, encoded and unencoded parameters?
