Is the "state" parameter supported?


#1

Is the “state” parameter supported? It is supported by Facebook and Google (at least).

If not, is there some other way to maintain state between requests?

Thanks.


#2

Bump.


#3

No, we don’t support OAuth 2 at this time, aside from app-only auth which is without this kind of context.

If you need to maintain state during the OAuth 1.0A callback “handshake,” you can do so by setting additional parameters to your custom oauth_callback value you provide on the oauth/request_token step.


#4

Okay, thanks.


#5

How can I set additional parameter in oauth_callback url. my callbackurl is :-

http://localhost:3000/oauthhandler/twitter

with this I am getting access_token successfully but not getting any state parameter.

now I want to set state parameter, so I can get a unique state in response of params. but I when I tried this

http://localhost:3000/oauthhandler/twitter?state=skjdfhjsf24754fsdf

I got error, coul not authenticate.


#6

Do you need to url encode your callback url?

Thus:
http://localhost:3000/oauthhandler/twitter?state=skjdfhjsf24754fsdf
becomes:
http%3A%2F%2Flocalhost%3A3000%2Foauthhandler%2Ftwitter%3Fstate%3Dskjdfhjsf24754fsdf


#7

Thanks for your reply. I have sent the query parameter in encoded string. still I’m facing the same error. If I did not include the state query parameter in the callback url than I did not get any error and Authorizing successfully but without state parameter. I need to differentiate the user by this state parameter.


#8

The only other idea I have (sorry for delay!) would be to use something like:

http://localhost:3000/oauthhandler/twitter/state/skjdfhjsf24754fsdf

And use apache’s mod_rewrite or something equivalent depending on your webserver…


#9

How could that work?
the point of state parameter is that it’s going to change on every request. but you cannot use a “changing” callback url with oauth, thus make it impossible to use http://localhost:3000/oauthhandler/twitter/state/skjdfhjsf24754fsdf10


#10

well true that you cant directly use a state parameter but the pretty crazy flow from twitter already makes it so the state param isnt really needed, because of the oauth token and secret, which works similar but slightly different.

after all when you request an oauth token for the login you store the token secret and give the user the twitter login site with the token.

also since the oauth token itself is a dynamic parameter in the first place you can also store that and do a check on that.

and the oauth verifier has to obviously be the correct one for any given oauth token and the same for the secret. the secret is used for signing after all and if the sig doesnt check out, twitter wont let the login do anything.

so while it’s not you that decides the dynamic parameters, there are parameters which are dynamic enough to basically work as state, but while being more complicated also slightly better since there’s also a secret value instead of just the public state.


#11

You can use the state parameter as an url parameter instead of as part of the url path. Like this:

http://localhost:3000/oauthhandler/twitter/?state=blahblahblah


#12

so definitively is it possible to put custom parameter like context n oauth1? I am facing a painful problem with my school project as I am not able to store accessToken and accessSecret to my database because in the current flow I am not able to say which user of my site the account belongs to.