带有 Doorkeeper 的 OAuth 回调 URL 参数 [英] OAuth callback URL parameters with Doorkeeper

问题描述

我使用 OAuth2 和 Doorkeeper 来保护我的 API.

I'm Using OAuth2 with Doorkeeper to protect my API.

问题是一个客户有几个不同的流程，他将用户重定向到我的 OAuth 流程.

The problem is that one client had several different flows in which he redirects users to my OAuth flow.

他希望在将用户重定向到我的 OAuth 流时动态添加一些参数，并在我调用他的回调 URL 时取回这些参数.这样他就可以知道这个回调来自哪个流.

He would like to dynamically add some parameters when redirecting the user to my OAuth flow and get these parameters back when I'm calling his callback URL. This way he will be able to tell from which flow this callback originated.

这可以通过 OAuth 2 实现吗?与门卫?怎么样?

Is this possible with OAuth 2? with Doorkeeper? How?

感谢 Zólyomi István 的提示.我在调用 auth 端点之前设置了 state 参数，并在回调中将其取回.但是，我发现即使我没有设置任何内容，我也会返回一个带有一些明显随机字符串的状态参数.知道它是什么吗?我想确定我没有搞砸任何事情...

Thanks Zólyomi István for your hint. I set the state parameter before calling the auth endpoint and got it back in the callback. However, I found that I get back a state parameter with some apparently random string even if I don't set anything. Any idea what it is? I'd like to be sure I'm not messing up anything...

推荐答案

嗯，使用 state 参数确实是解决方案.只需向请求添加状态，然后在控件返回到我的代码时将其取回.根据规范:

Well, using the state parameter was indeed the solution. Just adding state to the request and then getting it back when the control is returned to my code. According to the specification:

state 参数用于链接请求和回调以防止CSRF 攻击，攻击者授权访问他自己的资源然后诱使用户跟随攻击者的 edirect令牌.

The state parameter is used to link requests and callbacks to prevent CSRF attacks where an attacker authorizes access to his own resources and then tricks a users into following a edirect with the attacker's token.

显然 ominauth oauth 2 会为此参数分配随机值，除非它用于检测 CSRF 攻击.

Apparently ominauth oauth 2 assigns random value to this parameter unless it's used in order to detect CSRF attacks.

这篇关于带有 Doorkeeper 的 OAuth 回调 URL 参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！