Spring OAuth2 and query string parameters in redirect_uri

Question

So we've a spring-boot based oauth2 server. One of our applications relying on this server tries to initiate an auth request using the following url:

https://oauth2server/oauth/authorize?response_type=code&grant_type=authorization_code&client_id=myClient&redirect_uri=http%3A%2F%2Fapplicationserver%2Flogin%3Fparameter%3Dvalue

The user enters credentials, approves the app, and is redirected back to the application-server via the redirect_uri with a code:

http://applicationserver/login?parameter=value&code=tokenCode

When the application-server then calls the oauth2 resource api (oath/token) it gets RedirectMismatchException("Redirect URI mismatch.") because the approved redirect doesn't contain the query string parameters, rather only http://applicationserver/login

How can we set a certain url prefix to be an approved redirect uri while ignoring query string parameters? or are we doing something inherently wrong?

Thanks!!

Answer 1

If I understand it correctly your intention is to send data with the initial authorize request which should be returned when redirecting back to the application.

A library I am using currently provides the feature that an additional state can be stored together with the nonce in the state parameter like:

state = nonce + nonceStateSeparator + customState;

The state parameter is described as:

An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.