I am using DotNetOpenAuth to connect to Facebook and Google through OAuth2. The OAuth specifications require that no additional parameters be added to request_uri, and Google actually applies this somewhat, forcing you to specify the exact uri callback when you define your Google application with them.
What I want to accomplish is the ability to return the user to a specific URL after they have been authenticated using Facebook or Google. The flow is this, the user clicks on a secure link, they are redirected to my login page with the returnUrl parameter, and then I start the authorization process based on the OAuth2 authorization server that they select.
Since request_uri cannot have any parameters (although Facebook allows you to get away from this), I cannot send the returnUrl parameter to the authorization server and return it in such a way that when the user is returned to my site, I will forward them to the protected page, to which they tried to access. The best I can do is send them to the member’s homepage or welcome page.
The way to fix this is to use the “state” parameter, which the authorization server will send back to request_uri, but I can’t find a way to specify this using DotNetOpenAuth.
By default, it looks like the code uses SessionID as a status parameter to validate the request returned from the authorization server. Specifying IClientAuthorizationTracker in the WebServerClient class allows me to connect my logic when the response is returned from the authorization server, but it is not called when preparing the authorization request, so I cannot connect an additional state.
This is the code from WebServerClient.cs PrepareRequestUserAuthorization:
There is no block that I would expect to play and connect my own data.
Any tips on what I am missing?
Ameen source share