Callback url querystring parameters are not used

TeamKineticUK · 2018-08-01T11:16:36.711Z

Hi all,

I’m trying to fix a legacy web app that authenticated with twitter.

I have created the required whitelisted URLs but this means I must pass a querystring parameter with the callback url so that the callback server knows what to do with the token (I have to update a database based on the querystring value).

The payload in this legacy app is passed as a querystring like;

https://api.twitter.com/oauth/request_token?oauth_callback=https%3A%2F%2Fexample.co.uk%2Fvk%2Fcallback.htm%26mytoken%3D26FBC1CF-5A9F-43D8-8DA5-CC556EF1B867%3Fmytokentype%3Dadmin&oauth_consumer_key=***********&oauth_nonce=1576965227&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1533121843&oauth_version=1.0&oauth_signature=**********

But the request fails as the call back url does not match the whitelisted version. If I remove the querystring parameters from the callback url it works but then my callback script doesnt have the info it needs.

How do I add callback url parameters…?

Thanks

andypiper · 2018-08-01T22:54:43.838Z

As I understand it, query parameters on a callback URL should work. In the example above, if I’m reading it right, you want the values of mytoken and mytokentype passed back to your target callback URL, correct?

Example comment indicating callback params work:

OAuth callback URL lockdown Security & authorization (OAuth)

Yeah we had to scramble too, but parameters appear to pass correctly and you don’t have to lock them. We had to do few redirects based on where we should send the user post authentication. This is especially a problem with “signin with twitter” workflow, but it all worked out in the end.

TeamKineticUK · 2018-08-02T16:40:14.719Z

Thanks for that…the parameters were being added fine with regular url encoding but were being stripped later in the process. Doh!

Thanks
Rolf

andypiper · 2018-08-02T18:39:15.319Z