Menu
I have incorporated Satellizer into my app with a variety of social login providers (Facebook, Twitter, Google). My stack consists of: AngularJS (UI Router) and NodeJS/Express.
I seem to be encountering a challenge setting up dynamic callback URLs for user authentication. My app does not have a consistent login URL such as http://example.com/login because all of my URLs are dynamic and token based, for example: http://example.com/XH12aT1771. In effect, my login user experience is a modal overlay and there isn't any consistent login page.
The challenge with my system in integrating with OAuth is after logging the user into my app via the modal overlay, I want to put them back in the exact room (or token) they're in, not redirect them to some callback URL page as this would be a poor user experience.
Is the only way to make my OAuth callback url hardcoded, something like: http://example.com/success and then redirect the user back to their token after they hit the /success page? Is this really the only way to do such a thing?
Let me know if you need any more question details, thanks for the help.
590
I would not know about the options that Sattelizer gives you, and it would also depend on the options supported by the Authorization Server (AS), but:
From a security perspective it is advisable to use a fixed callback URL anyway to prevent some of the attacks that may happen because of either broken/sloppy URL matching on the AS side, or accidental token leakage to 3rd parties on the RP side because of embedded images/iframes on pages that do not consume the token etc.
So regardless of whether there's another way, it would be good security practice to use a fixed callback URL anyway and you can (hopefully) associate the original URL with the state parameter that gets sent out or put it in a cookie and restore it after consuming the token on the callback URL.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
