I use Facebook Oauth2.0 to login my site
redirect url: http://www.test.com/#/a/b
but the url is changed when facebook redirect, new url: http://www.test.com/?code=xxxx#/a/b
#/a/b is moved to the end of the link, I expected the url is: http://www.test.com/#/a/b?code=xxxx
how can I do? thanks
The retuned oauth code needs to be specified as a query parameter. Therefore is it needs to be in front of the hash segment of the url.
If the # symbol should be part of the path segment of the url you need to escape it accordingly.
Related
I have an application with two routes ("" and "page") with a simple target attached to each (not the same). When I now navigate from the root route "" to "page", the URL in the URL bar of the browser changes to <baseurl>#/page. Also when simply entering <baseurl>#/page in the URL bar of the browser, the proper view is displayed, that was configured via route and target.
Is it possible to configure UI5 - presumably the router - to omit the # in the URL, such that navigation changes the URL to <baseurl>/page and simply entering <baseurl>/page brings me to the corresponding page?
My use case is the following: I want to have an application with OAuth login (implicit grant flow) with a dedicated route/view/controller to handle the callback. The authorization server asks for the callback URL to be configured and forbids the usage of the symbol # in the callback URL, which makes sense as the implicit flow will pass the data back either within the fragement of the URL, which would be appended after the # of my URL violating the URL anatomy.
I'm using the omniauth-google-oauth2 gem to sign in users with Google.
After the oauth response is handled in controller, the user is redirected to another page: /dashboard. When landing on this page - a octothorpe (aka a hash/number/pound) character is added to the URL:
https://myapp.tld/dashboard#
From what it seems, that pound sign is somehow coming with the oauth response. But I cannot gather how and why it consequently gets passed on to the final page.
Any clues how this happens OR otherwise how to clear a redirect from passing that character?
Make sure your response type is set to code in the URL you are providing the user.
response_type=code
Steps to reproduce
Register a redirect_uri in the client: http://example.com/publisher/auth
Direct a user to the /oauth/authorize endpoint with the redirect_uri including a query parameter:
https://api.instagram.com/oauth/authorize/?client_id=xxx&redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth%3FinviteId%3D00001000-cf33-11e4-9f26-8789dd0b3e01&response_type=code&scope=basic&type=web_server
For reference, those query parameters are:
client_id=xxx
redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth%3FinviteId%3D00001000-cf33-11e4-9f26-8789dd0b3e01
response_type=code
scope=basic
type=web_server
Authenticate an instagram user and allow the app.
The user is redirected back to the correct redirect_uri.
Use the code query parameter from the redirected URI to post to Instagram's /oauth/access_token endpoint.
Expected behavior
The endpoint responds with 200 and an access token.
ACTUAL behavior
The endpoint responds with:
code=400
error_type = 'OAuthException'
error_message = 'Redirect URI doesn't match original redirect URI'
What I've Investigated So Far
To confirm that this is a problem with Instagram, I checked the API docs which very clearly state that adding query parameters to the redirect URI should be possible. I also tried varying only that query parameter. For example, when replaced with this /oauth/authorize URL I get the expected behavior:
https://api.instagram.com/oauth/authorize/?type=web_server&client_id=xxx&redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth&response_type=code&scope=basic
For reference, those query parameters are:
client_id=xxx
redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth
response_type=code
scope=basic
type=web_server
Notes
This question is actually a duplicate of another question which actually didn't really turn out to be a question, and which never got any answers.
I have submitted a bug with Instagram, but I wanted to see if anyone had found this or come up with a workaround.
Had the same issue today. To get the custom data passed between requests you must include it as state param. My authorize request url looked something like this:
https://www.instagram.com/oauth/authorize?client_id=SOME_CLIENT_ID&response_type=code&redirect_uri=http://example.com/auth/InstagramRedirect/&state=855C0114-F860-420A-AEB1-A276644FCCEA
Notice the & and state=...
You have to provide the redirect_uri with your extra search params as the last parameter:
https://www.instagram.com/oauth/authorize/?client_id=be1b911b487f4919b9c2fb7df0c4142c&type=web_server&response_type=code&scope=basic&redirect_uri=https://wpwifidemo.alepo.net/instagram/joinus/?inviteId=00001000-cf33-11e4-9f26-8789dd0b3e01
User will be redirected to:
https://wpwifidemo.alepo.net/instagram/joinus/?inviteId=00001000-cf33-11e4-9f26-8789dd0b3e01&code=CODE
It might be too late reply for this question. But i faced the same issue today & got this question already posted and solution for passing parameters to authentication URL is as follows.
It seems that your extra parameter is type=web_server , taking that into consideration, your URL for getting for code should be as follows
https://www.instagram.com/oauth/authorize/?client_id=be1b911b487f4919b9c2fb7df0c4142c&redirect_uri=https://wpwifidemo.alepo.net/instagram/joinus/?type=web_server&response_type=code&scope=basic
And then while calling the accessToken API append your redirect_uri parameter with your passed parameter (not the same configured in the app).
e.g.
redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth%3FinviteId%3D00001000-cf33-11e4-9f26-8789dd0b3e01?type=web_server
I'm trying to set up Bitbucket OAuth for my site but for some reason Bitbucket is not properly redirecting back to my site. I've created an OAuth key and secret and I'm using the Guzzle OAuth plugin in my Silex application.
First I request a temporary token via the oauth/request_token endpoint. Using that token I redirect to oauth/authenticate endpoint:
$app->get(
'/auth/bitbucket',
function () use ($app) {
$client = new Client('https://bitbucket.org/api/1.0');
$oauth = new OauthPlugin(
array(
'consumer_key' => $app['bitbucket.key'],
'consumer_secret' => $app['bitbucket.secret'],
'signature_method' => 'HMAC-SHA1',
'callback' => urlencode('http://mysite.local/auth/bitbucket/callback')
)
);
$client->addSubscriber($oauth);
$response = $client->post('oauth/request_token')->send();
parse_str($response->getBody(), $result);
return $app->redirect(sprintf('https://bitbucket.org/api/1.0/oauth/authenticate?oauth_token=%s', $result['oauth_token']));
}
);
This will bring up the page on the Bitbucket site where the user can grant or deny access to their account. After I click "Grant access" Bitbucket should redirect back to the callback url that was specified earlier but instead it will append my callback url to the Bitbucket url like this:
https://bitbucket.org/api/1.0/oauth/http%3A%2F%2Fmysite.local%2Fauth%2Fbitbucket%2Fcallback?oauth_verifier=xxxxxxxxxx&oauth_token=xxxxxxxxxxxxxxxxxx
This obviously results in a Bitbucket 404 page. Does anyone have an idea why the redirect to my callback url is not working properly?
According to documentation, when requesting token from bitbucket's API, you MUST have those parameters when sending POST request to https://bitbucket.org/api/1.0/oauth/request_token:
oauth_consumer_key
oauth_nonce
oauth_signature
oauth_signature_method
oauth_timestamp
oauth_callback
Also, don't urlencode your callback URL. Replace this:
'callback' => urlencode('http://mysite.local/auth/bitbucket/callback')
With this:
'callback' => 'http://mysite.local/auth/bitbucket/callback'
When you are sending POST request, you do not need to encode any of parameters.
Indeed, as you mentioned in comment, documentation does show encoded parameters in example, as in:
https://bitbucket.org/api/1.0/oauth/request_token?oauth_version=1.0&oauth_nonce=7f2325b3c36bd49afa0a33044d7c6930&oauth_timestamp=1366243208&oauth_consumer_key=HUpRcDUduZrepL6sYJ&oauth_callback=http%3A%2F%2Flocal%3Fdump&oauth_signature_method=HMAC-SHA1&oauth_signature=qZyTwVA48RzmtCHvN9mYWmlmSVU%3D
Issue you have is not wrong documentation, but misunderstanding of POST method. Also check Wikipedia page. Unlike GET where parameters are passed in URL, POST request method stores it's data in body. That allows us to send any data type, arbitrarily long.
Data that is passed in body of request is automatically encoded as in this example (copied from Wikipedia page):
Name=Jonathan+Doe&Age=23&Formula=a+%2B+b+%3D%3D+13%25%21
Looks similar to GET method when you encode data manually, right? However, if you urlencode data in POST request you actually end up with double encoded data, which is cause of problems in your case.
I really think that some basic knowledge of HTTP methods and Internet protocols is required before playing with any API.
Also, check some HTTP traffic monitor (debugger), like free Fiddler. It will allow you to see all HTTP data that is sent from your browser, essentially enabling you to learn by own examples.
I'm not sure how your framework works, but the callback parameter may be url encoded by the framework before the request is made. Since you also url encode it, your url is url encoded twice. Bitbucket will decode it once, leaving it with a url encoded url, which won't have the scheme set (http in this case), and your browser won't know it is an absolute URL, and will thus navigate to somewhere inside Bitbucket (as you observe). Try removing the extra url encode and see if that helps.
I'm working on a piece of a web application in ASP.Net MVC where the user registers for membership using an sql membership provider. When they register they are put in the system but not approved. The code then sends an approval email to the user with the email given.
BfEncrypt refid = new BfEncrypt();
refid.Encrypt(user.ReferenceID);
string code = HttpContext.Current.Server.UrlEncode(refid.CipherText);
...
Body += "Approval Link\n\r\n\r";
But when a user clicks on the link they get the following error:
Description: HTTP 404. The resource you are looking for (or one of its dependencies)
could have been removed, had its name changed, or is temporarily unavailable.
Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Approve/k/9IHrY43os=
The question is, if I'm url encoding the link before I send it, why is it decoding before it tries to call the action? The url in my browser is actually 'http://localhost:1091/Approve/k%2f9IHrY43os%3d' when I get the error. My routing is setup correctly but it doesn't account for the extra '/' in the encrypted string in the url (since it shouldn't be there anyways.)
You could encode it as base64 instead of using URLEncode.