3

I'm implementing single sign-on via Google into my site and it's working fine, BUT: I need it to support various instances of the website.

This is a problem because Google does not seem to support any sort of dynamism in the redirect URLs. From the docs about redirect URLs:

Determines where the API server redirects the user after the user completes the authorization flow. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in the API Console.

This is annoying to say the least; no wildcards, no query string variation - has to match exactly the value you store in the console.

So my question is: does anyone know of any means of telling Google's auth service to return custom data appended to the redirect URL?

I'm thinking something like

$google->setRedirectUri('http://example.com/foo');

//pseudo code...
$google->setCustomRedirectData([
    'foo' => 'bar'
]);

...which would generate

http://example.com/foo?code=...&other_google_params=...&foo=bar

Is there any way for this, or do I have no option but to specify literally every redirect URL manually?

Mitya
  • 33,629
  • 9
  • 60
  • 107
  • 1
    We use the `state` parameter for this. – ceejayoz Aug 13 '19 at 20:50
  • we give the user a session value before sending them for authentication and checking it when they return –  Aug 13 '19 at 21:05
  • @ceejayoz thanks, I'll look into that. Actually I've just done that and can see that it is indeed what I need. If you post that as answer I'll accept. – Mitya Aug 13 '19 at 21:07
  • @tim - I should have said that the variation in sites involves different domains, so this isn't an option, but thanks. – Mitya Aug 13 '19 at 21:08
  • you could then set up a 'project' for each domain –  Aug 13 '19 at 21:08
  • 1
    Not an option - too many domains, and they are added daily. Thanks anyway. – Mitya Aug 14 '19 at 10:11

1 Answers1

4

We use the state parameter for this. In our case, we only need to store a small amount of data (which of our wildcarded subdomains or custom domains the user came from) and it's quite effective.

The format of it is up to you. We base64 encode some (non-sensitive) JSON into it.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • Thanks, just what I needed. Would be helpful if Google flagged this up more in the console where you enter redirect URLs otherwise I'd have never known it existed. – Mitya Aug 14 '19 at 10:34
  • 1
    @Utkanos Well, they probably don't document this usage because, while useful, it's *technically* not what it's for. https://stackoverflow.com/questions/26132066/what-is-the-purpose-of-the-state-parameter-in-oauth-authorization-request – ceejayoz Aug 14 '19 at 13:34
  • Interesting. But I can't be alone in this case, where callback needs to pass along some persistent state. – Mitya Aug 15 '19 at 12:11
  • 1
    @Utkanos You're definitely not, and I think a lot of us abuse `state` for this. Google's particularly picky in their redirect URL enforcement; not sure if it's for a good security reason or if it's just them being a pain. Most of the other big OAuth systems permit any number of arbitrary GET params without issues. – ceejayoz Aug 15 '19 at 13:05
  • @ceeyaoz yes - this is my experience too. Oh well! Thanks. – Mitya Aug 15 '19 at 14:51