Oauth with query parameters


(Tyler Main) #1

Good afternoon,

I am working on integrating with dwolla and have everything largely hooked up in our backend for oauth and sending/receiving payments.

I am now working on hooking it up to the frontend and find myself needing to pass additional query params attached to the redirect_uri to preserve some state through authentication. According to the docs and all of the other threads on here this should be doable but every request I consistently receive the error “Redirect Uri does not match redirect uri associated with token.”

I have double checked that what I have configured as redirect through the ui and what is being sent are identical(save for the query parameters).

What I have configured for local testing in the ui is:
http://127.0.0.1:8081/wallet/dwolla/login/finish

What I am sending in as redirect_uri is:
http://127.0.0.1:8081/wallet/dwolla/login/finish?redirect_url=http%3A%2F%2Fwww.example.com

When the flow is complete I am being redirected here with the error:
http://127.0.0.1:8081/wallet/dwolla/login/finish?redirect_url=http%3A%2F%2Fwww.example.com&code=

I am working in node.js using dwolla-node.

Any help or suggestions would be welcome.

Thanks!


(David Stancu) #2

Hi @vaelinn!

I am noticing something strange about the URLs that you have shown us in your post; please ensure that you are using redirect_uri and not redirect_url. Additionally, from a security perspective, please do not save authentication state via query parameters.

A better alternative would be to use Express’ session middleware or, if this is not compatible with your set up, you can use something more framework/platform agnostic like Redis. I have seen Redis middleware available for literally every useful application framework! :smile:

Best,

David


(Tyler Main) #3

Thanks for the response David.

I have redirect_uri set properly for dwolla via the dwolla-node internally, I am just passing it the url to set as redirect_uri. redirect_url is what I am using to tell my code after the flow has redirected where it needs to go as it is currently being redirected to my backend and I want the frontend to have some control on where it goes from there. So redirect_url is the query parameter that I would like to persist through for my usage.

I thought about redis as well, and gave it a go but as our site has multiple regions/languages i need to know which user the returned redirect is for and there is no identifying information coming back from the redirect without that query param to know which user needs to be redirected to which lang/region.

Also just to be clear, I don’t want to save any authentication info via the query param nothing about the user even, just pass through a redirect url to be used after the oauth flow completes so that my frontend has a bit more control.

Thanks again,

Tyler


(Spencer Hunter) #4

Hey @vaelinn,

I mentioned this briefly in the post below, per the OAuth spec if the “redirect_uri” parameter was included in the initial authorization request, their values MUST be identical. Added an example below.

router.get('/auth', function(req, res) {
	var scope = 'Transactions';
	var client_id = c.client_id;
	var redirect_uri = c.host + '/return?http://www.example.com';
	var url = util.format("https://www.dwolla.com/oauth/v2/authenticate?client_id=%s&response_type=code&redirect_uri=%s&scope=%s",
	 encodeURIComponent(client_id),
	 encodeURIComponent(redirect_uri),
	 encodeURIComponent(scope));
	res.redirect(url);
});
//finish auth
router.get('/return', function(req, res) {
	var client_id = c.client_id;
	var redirect_uri = c.host + '/return?http://www.example.com';
	var client_secret = c.client_secret;
	var code = req.query.code;
	var url = util.format("https://www.dwolla.com/oauth/v2/token?client_id=%s&client_secret=%s&grant_type=authorization_code&redirect_uri=%s&code=%s",
	 encodeURIComponent(client_id),
	 encodeURIComponent(client_secret),
	 encodeURIComponent(redirect_uri), 
	 encodeURIComponent(code));
	request(url, function (error, response, body) {
	  if (!error && response.statusCode == 200) {
	  var data = JSON.parse(body);
	  req.session.access_token = data.access_token;
	  res.redirect('/dashboard');
	  }
	});
});

(Tyler Main) #5

Thanks @spencer I missed the point on the initial request including the redirect_uri there, I will give this a go and let you know. I feel pretty confident this will resolve my issue.

Thanks again!


(Cory Anderson) #6

(Cory Anderson) #7