Closed dmfs closed 7 years ago
ProtocolException: State in redirect uri doesn't match the original state! meaning
@SACHIN58585 I'm not sure if that's supposed to be a question.
A client is supposed to compare the value of the state
field in the auth code response to the value it has set in the request, see https://tools.ietf.org/html/rfc6749#section-4.1.2
The ProtocolException
is thrown if the state
field in the redirect uri didn't equal the value which the client has put into the request url. If you see this error, the auth server implementation is broken or the response didn't come from the server.
Do i need to insert the state returned in auth code response explicitly in the redirect uri explicitly or the oauth2-essential does this by its own.
Your redirect URI should not contain any query parameters.
oauth2-essentials generates a random state for every AuthorizationCodeGrant
and appends it to the authorization URL. The server appends the same state value to the redirect URL. oauth2-essentials verifies that the state in the redirect URL equals the one in the authorization URL.
For that it's important that you call withRedirect(redirectUrl)
on the same OAuth2InteractiveGrant
object (because the state is stored in that object).
If you use this on Android your OAuth2InteractiveGrant
object will probably not survive the call to the Browser, in that case you can create a Serializable
object from the grant, which you can store in a Bundle
and recreate the grant object when your Activity is restored. See #57 for more info on that.
BasicOAuth2AuthCodeAuthorization
fails to verify the state although the state is correct.