I want to add a parameter in youtube API redirect uri dynamically. I know we can't change the redirect uri dynamically. Is there any way to modify the auth url to add a parameter there and extract it after authentication.
As per the answer in this SO post,
You cannot add anything to the redirect uri, redirect uri is constant as set in the app settings of Oauth. eg
:http://www.example.com/redirect.html
To pass several parameters to your redirect uri, have them stored in state parameter before calling Oauth url, the url after
authorization will send the same parameters to your redirect uri as
state=THE_STATE_PARAMETERS
For further studies, you can check this documentation from YouTube API.
Related
I'm trying to implement the oAuth flow to sign in with Microsoft.
I have the following endpoints:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
My flow is like this:
Redirect to Microsoft by clicking on Sign in with Microsoft button:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client_id}&scope=user.read&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2F1%2Ffrontend%2Flogin%3Fstate%3Dtest
My redirect url is:
http://localhost:8000/1/frontend/login?state=test
Which is appended with the code I receive back from Microsoft.
I then perform a POST request to the /token endpoint.
However, I receive an error (AADSTS50011) saying:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:
The data I send is correct, except for the redirect_uri. I have the following value:
http%3A%2F%2Flocalhost%3A8000%2F1%2Ffrontend%2Flogin%3Fstate%3Dtest
Which is just an url encoded version of my redirect url including the ?state=test
I know that everything works fine, except the redirect_uri, because when I remove the state query param, everything works fine.
However, to route the redirect_uri correctly in my application, I need the state param.
I cannot add it in my App settings, and I have to include it in the first request (/authorize endpoint)
That all works fine, but the second (/token) POST request fails, I cannot enter my redirect_uri with the ?state= parameter.
I've tried several options such as encoding the redirect_uri, but it doesn't help.
All other oAuth flows (Like Github) are working fine. Except Microsoft.
Attach your state param to the auth request itself, don’t put it in the redirect_uri param. Then the state param is automatically sent back to the redirect uri.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client_id}&scope=user.read&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2F1%2Ffrontend%2Flogin&state=xyz
Let's say, in Oauth implicit flow, the redirect uri I provided is http://www.abc.de/de
Then the oauth2-server will responde with a 302 and the location will say something like:
http://www.abc.de/de#access_token=blabla&token_type=bearer
Then my browser redirects me to http://www.abc.de/de without the url hash part, right?
How is the url hash added to my redirect uri? Does the Outh2-server simply add it and then set the location to that value?
And how do I know that the value given in the access_token is trustworthy? The location is part of the http request right? So while url hashes are not sent to the server, the location value could be intercepted and meddled with by a MITM attack.
Or am I mixing things up here?
i think the identity server will never send those token back unless the url is added to trusted urls on the server.
so if someone create a page in the middle and make people authenticate on it, will never get the token back because the client url is not trusted
In my Microsoft application registration, under "redirect URLs", I've checked Allow Implicit flow and provided the URL, http://localhost:8080/event.
But I actually have an dynamic event id which makes the URL localhost:8080/event/{eventid}.
So now I'm getting an error:
The reply address http://localhost:8080/student/event/59b67936d53f013a79000009 does not match the reply addresses configured for the application
How can I give a URL that will allow any value after the event in the URL?
You cannot use a dynamic URI for OAUTH redirects. Note that this isn't specific to Microsoft's v2 Endpoint, this is the case for every OAUTH provider I've used.
I assume you're looking to redirect the user to a specific event page after they've completed the login?
The proper way to handle that is to use the state parameter. This is a string value and will be returned with the response. For example, you could encode your eventid an include that value in the state. When you get the token response back, you're app decodes the state value and redirects the user.
I'm trying to write a github client for iOS in Swift. So far I managed to understand how OAuth 2.0 works.
But the thing I don't understand is what callback URL should I enter (for user to be redirected after dealing with OAuth), when registering my app at OAuth applications list. I add URL scheme like "mycustomapp" in Info.plist, then I enter "mycustomapp://" in the callback url field on developer.github website, but it says, that this url is invalid. What URL should I use?
I've managed to find a solution to this issue on a oAuthSwift wiki page.
Some API do not accept custom url scheme (ex: myapp://) into callback URL (ex: Linkedin oauth v2, Twitter oauth v1), only http is accepted.
So I used a URL with http scheme, which redirects to my custom one.
I entered http://oauthswift.herokuapp.com/callback/myappname as a callback and inside my app I redirect to oauth-swift://oauth-callback/myappname
Code could be found here https://github.com/dongri/oauthswift.herokuapp.com
I was wondering why we need to specify the redirect uri both in our code and in google developer console when using Oauth2.I was following this tutorial http://www.tothenew.com/blog/grails-way-of-oauth-2-0-to-access-google-apis-part-1/.
The client may register multiple redirect_uri's with the Authorization Server (i.e. Google) and sending the redirect_uri in the request itself is to let the Authorization Sever know on which one of the registered redirect_uri's the client wants to receive the authorization response.
The redirect_uri parameter is optional by spec: if there's only one registered, then the redirect_uri parameter may be omitted from the request.
The only redirect URI which really matters is the one which you enter into your Google Developer Console. This redirect URI is what Google will use to reconnect with your web application after it has either approved or rejected your authorization attempt.
The reason you are also specifying this redirect URL in your code is to ensure that your application can correctly recognize the incoming redirect request.