oauth 2.0 - How to identify provider for oauth2 redirect_uri callback? -
im trying undertand how identify provider returning authorization request initiated by. see 3 approaches:
- use provider specific
redirect_uricallback uris./oauth2/<provider-name>/callbacketc. - encode provider id/name in
stateparameter somehow - store pending provider id/name in web session
- try verify response used providers
i've read parts of oauth2 spec can't find discussing it. looking @ other client implementations seems provider specific uris common solution. missing something?
clients may not multi-tenant , tightly integrated single authorization server, there's no need store provider identifier because there's single fixed one. may reason why there's no obvious solution.
multi-provider clients your's should store provider identifier part of state. because state should protected, , provider specific redirect_uri not. 1 play access token provider against callback provider b , defeat purpose of provider specific callback.
state can protected either reference server state or encrypted cookie, or value in form of self-contained encrypted structured value state parameter, , can safe mechanism store provide identifier.
Comments
Post a Comment