19

I'm developing an application where the users have their own URLs, and they need to use Google API - of course with different redirect URIs, like

  • www.example.com/johndoe/google/login
  • www.example.com/foobar/google/login

So first I thought I could simply solve this problem by using wildcards (www.example.com/*/google/login), but it unfortunately doesn't work that way. Then I started to code a simple proxy in Perl, but I'm not sure it would work and we're running out of time. What is the best way to deal with the situation? I thought about adding a new redirect URI to the console from the registration handler, but I didn't find any way the server could do this.

r1pp3rj4ck
  • 1,437
  • 2
  • 10
  • 23
  • See answer on http://stackoverflow.com/questions/7722062/google-oauth2-redirect-uri-with-several-parameters Thanks! – Kiran Sep 24 '14 at 10:33

1 Answers1

23

Wildcards are not supported in Google OAuth2 redirect URIs. I think your best best is to use a single redirect URI, and pass in the user information in the state parameter. The state parameter is returned to you in response. Then, when you receive the authorization code/tokens, you can lookup the state parameter and handle the response appropriately (e.g., redirect to your user-specific URLs).

This answer has more information.

Community
  • 1
  • 1
vlatko
  • 3,234
  • 1
  • 18
  • 11
  • 1
    hmm and how do I handle the response? Doesn't seem to be a "state" parameter there. Or can I use any redirect URI after receiving the code? How about calling an actual API? If I have an access token, can I use it from anywhere or what are the limitations? – r1pp3rj4ck Jan 23 '13 at 13:38
  • 2
    You pass in the state parameter when you prepare the request. For instance, you could include the username there. After you receive the authorization code, and exchange it for access/refresh tokens, you will have a valid access token along with a state parameter populated with the username. What to do with it is up to your application. One major limitation on the access token is that it's short lived (you can check the expires_in parameter in the response, I think it's 3600 seconds). So, you will need to exchange your long lived refresh token for an access token periodically. – vlatko Jan 23 '13 at 17:29
  • Thank you! Actually, I solved the whole thing before you responded to my comment, but it still clears a few things up. – r1pp3rj4ck Jan 24 '13 at 12:12
  • @r1pp3rj4ck I am facing the same issue with multiple custom domain, as you stated above that you solved whole thing, so can you guide us on the below issue? https://stackoverflow.com/questions/62996742/how-to-configure-wild-card-or-custom-domains-in-redirect-uri-in-google-oauth-2-0 – Jeet Bhatt Jul 21 '20 at 07:19