OAuth: how to set dynamic callback url?

Question

OAuth: how to set dynamic callback url?

I have included Satellizer in my application with various social network providers (Facebook, Twitter, Google). My stack consists of: AngularJS (UI Router) and NodeJS / Express.

I seem to be facing the problem of setting up dynamic callback URLs for user authentication. My application doesn’t have a consistent login URL, for example http://example.com/login , because all my URLs are dynamic and token based, for example: http://example.com/XH12aT1771 . In fact, my user interface is a modal overlay, and there is no permanent login page.

The problem with my system in integrating with OAuth is to register the user in my application using modal overlay, I want to return them to the desired room (or token) in which they are located, and not redirect them to any callback URL page. since it will be a bad user interface.

Is the only way to make the OAuth callback url code hard-coded, for example: http://example.com/success , and then redirect the user back to their token after they get to the /success page? Is this really the only way to do this?

Let me know if you need further questions, thanks for the help.

+6

angularjs oauth oauth-2.0 angular-ui-router satellizer

Matt Nov 03 '14 at 0:22

source share

4 answers

Hans z. · Answer 1 · 2014-11-19T20:09:42+0000

I would not know about the parameters that Sattelizer gives you, and also depends on the parameters supported by the authorization server (AS), but:

From a security point of view, it is recommended that you use a fixed callback URL in any case, to prevent some of the attacks that might occur due to incorrect or inaccurate match of URLs on the AS side or accidental leak of token to third parties on the RP side due to embedded images / frames on pages that do not consume a token, etc.

Thus, regardless of whether there is another way, it would be a good security practice to use a fixed callback URL anyway, and you can (hopefully) associate the original URL with the status parameter that will be sent or placed in the cookie and restore it after using the token on the callback URL.

Andrew Kennedy · Answer 2 · 2014-11-20T23:26:30+0000

I am not familiar with Satellizer, but I created a dynamic oauth callback structure.

 $callback_url = Configure::read('Your.base') . 'connect/provider/signin/' . $invite_code;

We will disable the unique URL that puts someone in a particular room.

kfis · Answer 3 · 2014-11-21T17:39:59+0000

I'm not familiar with Satelizer, but after a short read, it seems like there is an option to configure the callback url after logging in.

 // Google $authProvider.google({ url: '/auth/google', authorizationEndpoint: 'https://accounts.google.com/o/oauth2/auth', redirectUri: window.location.origin || window.location.protocol + '//' + window.location.host, scope: ['profile', 'email']; scopePrefix: 'openid'; scopeDelimiter: ' ', requiredUrlParams: ['scope'], optionalUrlParams: ['display'], display: 'popup', type: '2.0', popupOptions: { width: 452, height: 633 } });

Here they configure uri redirection directly to the location the user is currently located. See Satelizer Configuration

Isn't that what you are looking for?

cchamberlain · Answer 4 · 2014-11-24T23:59:02+0000

It seems that the answer should be either what kfis said, or -

 $authProvider.loginRedirect = '/'; // Change this relative path

per - Satellizer

OAuth: how to set dynamic callback url?

More articles: