Determine user id in oauth callback

Question

The OAuth process is:

1. For OAuth authentication, the app (a.k.a OAuth client) redirects the user to the authorize_url

2. This redirects the user to oauth server's webserver, where the user grants the web app access to his/her account

3. OAuth server redirects the user to the callback url provided by the application (a.k.a oauth client). At this point, the callback came from the OAuth server and hence does not have the session id or session hash. How is the application to determine which user the post-oauth callback is being called for?

I though the way this works is:

1. When you redirect user to the authorize_url you append certain parameters to the query string ?id=xxx

2. When the OAuth server redirects to the callback_url provided by the client, one of the parameters with the HTTP message will be the parameter appended to the query string in step 1.

However, this does not seem to work for the OAuth server I am trying to hook into.

Any suggestions?

Answer 1

After the user has verified your request token (by entering username and password) you should get the oauth_token and oauth_verifier parameters sent back, appended to the callback.

If this works, but other parameters you specified in the callback are NOT included in the callback, then it may be the case that the provider simply ignores the oauth_callback you are sending in the request token step.

If this is the case, the provider will refer to predefined callback, usually one that you specified when acquiring consumer key and secret.

OAuth providers are allowed to ignore callbacks sent during the authorization flow (except for signing purposes). Some providers do this to add an extra layer of security.

Answer 2

You can use state parameter for that, also the auth server have to provide user details service based on only access token.