State in redirect uri doesn't match the original state!

[dmfs]

BasicOAuth2AuthCodeAuthorization fails to verify the state although the state is correct.

[SACHIN58585]

ProtocolException: State in redirect uri doesn't match the original state! meaning

[dmfs]

@SACHIN58585 I'm not sure if that's supposed to be a question.

A client is supposed to compare the value of the state field in the auth code response to the value it has set in the request, see https://tools.ietf.org/html/rfc6749#section-4.1.2

The ProtocolException is thrown if the state field in the redirect uri didn't equal the value which the client has put into the request url. If you see this error, the auth server implementation is broken or the response didn't come from the server.

[SACHIN58585]

Do i need to insert the state returned in auth code response explicitly in the redirect uri explicitly or the oauth2-essential does this by its own.

[dmfs]

Your redirect URI should not contain any query parameters.

oauth2-essentials generates a random state for every AuthorizationCodeGrant and appends it to the authorization URL. The server appends the same state value to the redirect URL. oauth2-essentials verifies that the state in the redirect URL equals the one in the authorization URL.

For that it's important that you call withRedirect(redirectUrl) on the same OAuth2InteractiveGrant object (because the state is stored in that object).

If you use this on Android your OAuth2InteractiveGrant object will probably not survive the call to the Browser, in that case you can create a Serializable object from the grant, which you can store in a Bundle and recreate the grant object when your Activity is restored. See #57 for more info on that.