The state parameter according to the Google Oauth 2.0 docs:
Indicates any state which may be useful to your application upon receipt of the response. The Google Authorization Server roundtrips this parameter, so your application receives the same value it sent. Possible uses include redirecting the user to the correct resource in your site, nonces, and cross-site-request-forgery mitigations.
I'd like to use the state parameter as a means to know which subdomain the original oauth request was initiated from. But the redirect_state parameter appears to need to be registered as part of one of the "Authorized Redirect URIs". If not, I get:
Error: redirect_uri_mismatch The redirect URI in the request: http://my_server.com/complete/google-oauth2/?redirect_state=2 did not match a registered redirect URI
I would like a solution that does not require registering every possible redirect_state value in the authorized redirect URIs as that isn't very maintainable. Ideas?
redirected uri is the location where the user will be redirected after successfully login to your app. for example to get access token for your app in facebook you need to subimt redirected uri which is nothing only the app Domain that your provide when you create your facebook app.
An OAuth 2.0 state parameter is a unique, randomly generated, opaque, and non-guessable string that is sent when starting an authentication request and validated when processing the response.
Google do not have any plans to add public IP's as trusted, simply they do not trust an IP.
The name of the parameter is state
(and not redirect_state)!
A sample OAuth request according to the google documentations is ->
https://accounts.google.com/o/oauth2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&
state=%2Fprofile&
redirect_uri=https%3A%2F%2Foauth2-login-demo.appspot.com%2Fcode&
response_type=code&
client_id=812741506391.apps.googleusercontent.com&approval_prompt=force
Please note the State
parameter and the redirect_uri
parameter. I think you've mixed up the two.
EDIT - See this link by Google. Has good explanation about state parameters and building up the web requests.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With