Google OAuth 2 and state parameter values need to be registered in redirect url

Henry picture Henry · May 7, 2013 · Viewed 18.5k times · Source

The state parameter according to the Google Oauth 2.0 docs:

Indicates any state which may be useful to your application upon receipt of the response. The Google Authorization Server roundtrips this parameter, so your application receives the same value it sent. Possible uses include redirecting the user to the correct resource in your site, nonces, and cross-site-request-forgery mitigations.

I'd like to use the state parameter as a means to know which subdomain the original oauth request was initiated from. But the redirect_state parameter appears to need to be registered as part of one of the "Authorized Redirect URIs". If not, I get:

Error: redirect_uri_mismatch The redirect URI in the request: http://my_server.com/complete/google-oauth2/?redirect_state=2 did not match a registered redirect URI

I would like a solution that does not require registering every possible redirect_state value in the authorized redirect URIs as that isn't very maintainable. Ideas?

Answer

divyanshm picture divyanshm · May 7, 2013

The name of the parameter is state (and not redirect_state)!

A sample OAuth request according to the google documentations is ->

https://accounts.google.com/o/oauth2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&
state=%2Fprofile&
redirect_uri=https%3A%2F%2Foauth2-login-demo.appspot.com%2Fcode&
response_type=code&
client_id=812741506391.apps.googleusercontent.com&approval_prompt=force

Please note the State parameter and the redirect_uri parameter. I think you've mixed up the two.

EDIT - See this link by Google. Has good explanation about state parameters and building up the web requests.