Avoid appending to redirect_uri, but rather use state parameter #248
Conversation
Added support for passing additional state on the callback url e.g. a return url. Modified the OpenAuthSecurityManager to delegate responsibility to the IAuthenticationClients for passing the provider name and session id on either the redirect url or login url (OAuth2 specifically has a state parameter for passing additional session info on the login url, passing additional information on the callback url isn't supported by googles implementation of OAuth2). Removed redundant provider name and session id passed on the callback in VerifyAuthentication.
|
I hope you pull this in soon. I was thinking of making a similar change, but this is much better. This will allow me (or others) to easily create a Google OAuth2 ASP.NET client. My current one is ugly because I have to rip out the provider and sid variables and stuff them into state and then pull them back out. |
|
|
||
| try | ||
| { | ||
| state = new StateDictionary(HttpUtility.UrlDecode(value).Split('&').Select(x => x.Split('=')).ToDictionary(x => x[0], x => x[1])); |
There was a problem hiding this comment.
It looks like you're missing another level of HttpUtility.UrlDecode in the key and value itself.
|
We appreciate the pull request. We're going to make a different, smaller change that only impacts OAuth 2 clients and without the backward breaking changes that your change introduces. Thanks for thinking of sharing code back to the project however. We truly do appreciate it! |
|
actually, re-opening the issue so we can solve it, albeit another way. |
|
Always happy to contribute! Would you be able to incorporate the ability to pass a return url in OpenAuthSecurityManager.RequestAuthentication that is passed back to the website with provider name and sid? I know there is already a parameter called returnUrl but it would be useful to have a returnUrl that we can redirect a user to after successful authentication in the callback request. |
|
One more reason to fix this. |
|
Any progress on this one? What's the easiest way to move the sid from the returnUrl into the state? Dodgy suggestions are welcome :) |
|
Ok my workaround using OAuth with Google. In my providers GetServiceLoginUrl and QueryAccessToken methods I strip out the query parameters, base64 encode them and add them to the dictionary with the key state. My ExternalLoginCallback action grabs the state parameter, un-encodes it and then returns a RedirectResult with the parameters added back on. Dodgy hack but works. |
Added support for passing additional state on the callback url e.g. a
return url. Modified the OpenAuthSecurityManager to delegate
responsibility to the IAuthenticationClients for passing the provider
name and session id on either the redirect url or login url (OAuth2
specifically has a state parameter for passing additional session info
on the login url, passing additional information on the callback url
isn't supported by googles implementation of OAuth2). Removed redundant
provider name and session id passed on the callback in
VerifyAuthentication.