Geek Answers Handbook

Google OAuth 2 and status parameter values ​​must be registered in the redirect URL

Status setting as per Google Oauth 2.0 docs:

Indicates any condition that may be useful for your application after receiving a response. Google authorization server rounds this parameter, so your application receives the same value that it sent. Possible uses: redirecting the user to the correct resource on your site, carrying and mitigating the cross-site request-fake.

I would like to use the status parameter as a means of knowing from which subdomain the original oauth request was initiated. But the redirect_state parameter must be registered as part of one of the "Authorized Redirect URIs." If not, I get:

Error: redirect_uri_mismatch redirect URI in request: http://my_server.com/complete/google-oauth2/?redirect_state=2 does not match the registered redirect URI

I need a solution that does not require registration of every possible redirect_state value in the allowed redirect URIs, since this is not very convenient. Ideas?

+7
source share
1 answer

state parameter name (not redirect_state)!

OAuth request example as per Google documentation β†’

 https://accounts.google.com/o/oauth2/auth? scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile& state=%2Fprofile& redirect_uri=https%3A%2F%2Foauth2-login-demo.appspot.com%2Fcode& response_type=code& client_id=812741506391.apps.googleusercontent.com&approval_prompt=force

Note the state parameter and the redirect_uri parameter. I think you mixed these two.

EDIT is a link from Google. Has a good explanation of status parameters and creating web requests.

+14
source

More articles:


All Articles