1

I have a browser extension that uses OAuth2 to retrieve an access token. As recommended by https://api.stackexchange.com/docs/authentication, I use https://stackoverflow.com/oauth/login_success as the value of redirect_uri.

To avoid inadvertently using the access token from other applications, I have inserted a unique identifier in the URL, so that the extension will only use access tokens that it has explicitly requested.

The URL for the OAuth is thus as follows:

https://stackoverflow.com/oauth/dialog?client_id=903&redirect_uri=https://stackexchange.com/oauth/login_success?robw&protocol=https&&scope=no_expiry,read_inbox

Upon succesful authentication, it used to redirect to:
https://stackexchange.com/oauth/login_success?robw&protocol=https#access_token=XX

A user recently reported that my extension was broken. This is apparently because they are redirected to the following instead:
https://stackexchange.com/oauth/login_success?protocol=https#access_token=XX

Is this a bug in OAuth (and will the value of redirect_uri be respected in a future update)? If not, what is the recommended way to authenticate users and avoid conflicts with other browser extensions that also use the recommended redirect_uri to authenticate users?

Improve this question

1 Answer 1

Reset to default
2

I don't think that's a bug, for implicit OAuth. Anyway, if I understand RFC 6749 correctly, that is not how you are supposed to do such extra checks.

Use the state parameter. And this works.

For example, a call to:
/oauth/dialog?...&state=robfoo&redirect_uri=https://stackexchange.com/oauth/login_success
(Click the link and try it.)


Yields results like:   `https://stackexchange.com/oauth/login_success#access_token=Qs...LUg))&state=robfoo`

When the user authorizes the app.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.