So we've a spring-boot based oauth2 server. One of our applications relying on this server tries to initiate an auth request using the following url:
The user enters credentials, approves the app, and is redirected back to the application-server via the redirect_uri with a code:
http://applicationserver/login?parameter=value&code=tokenCode
When the application-server then calls the oauth2 resource api (oath/token) it gets RedirectMismatchException("Redirect URI mismatch.")
because the approved redirect doesn't contain the query string parameters, rather only http://applicationserver/login
How can we set a certain url prefix to be an approved redirect uri while ignoring query string parameters? or are we doing something inherently wrong?
Thanks!!
If I understand it correctly your intention is to send data with the initial authorize request which should be returned when redirecting back to the application.
A library I am using currently provides the feature that an additional state can be stored together with the nonce in the state parameter like:
state = nonce + nonceStateSeparator + customState;
The state parameter is described as:
An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.