2

When I sent a request to OAuth 2.0 Authorization server to get authorization code, I am sending an encoded state property in the url. The redirected response as per Google's documentation, should also contain encoded state value in the url.

For example, My request url is

https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly&state=https%3A%2F%2Fmydomain%3A8383%2Fhtml%2Foauth-verification.html&redirect_uri=https%3A//oauth2.example.com/code&access_type=offline&response_type=code&client_id=583306224539-atbcaa8ne8g85e8kc006o6vmq99qiid0.apps.googleusercontent.com

This should redirect to,

https://oauth2.example.com/code?state=https%3A%2F%2Fmydomain%3A8383%2Fhtml%2Foauth-verification.html&code=4/0ARtbhnkIrVcHpI3NCb1J3-JRWLsJ6JVX5Nd7JHmNAKVL4aYJlz_s9yf9MPn2MJtymuEk_g&scope=https://www.googleapis.com/auth/drive.metadata.readonly

But it decodes the state parameter and redirects to,

https://oauth2.example.com/code?state=https://mydomain:8383/html/oauth-verification.html&code=4/0ARtbhnkIrVcHpI3NCb1J3-JRWLsJ6JVX5Nd7JHmNAKVL4aYJlz_s9yf9MPn2MJtymuEk_g&scope=https://www.googleapis.com/auth/drive.metadata.readonly
Dhinesh
  • 105
  • 1
  • 5
  • What did you set in redirect url in Google console? – Fawkes Nov 07 '22 at 06:29
  • @Fawkes Same as the one in Request url. Redirection works without any issues, it's the state parameter causing the problem. Whatever value sent in state parameter should be returned in redirect url without any Encoding / Decoding. – Dhinesh Nov 07 '22 at 07:41
  • state allows any string. So does normal URL work? I mean you can skip encoding part and just pass plain url. – Fawkes Nov 07 '22 at 09:07
  • @Fawkes The redirect url that I use in production won't let query parameters that are not encoded pass through it. – Dhinesh Nov 07 '22 at 11:14
  • 2
    I see. Usually, I always had passed identifier type values in state and managed state-based redirection programmatically. For your solution, you can pass an encrypted URL, using base64 or any other method, and then decrypt it. I have searched web and I couldn't find why google returns decoded URL in querystring. it is a bit strange to me as well. – Fawkes Nov 08 '22 at 05:51

0 Answers0