redirect - Google OAuth 2 和状态参数值需要在重定向 url 中注册

Question

根据 Google Oauth 2.0 文档的状态参数:

Indicates any state which may be useful to your application upon receipt of the response. The Google Authorization Server roundtrips this parameter, so your application receives the same value it sent. Possible uses include redirecting the user to the correct resource in your site, nonces, and cross-site-request-forgery mitigations.

我想使用状态参数来了解原始 oauth 请求是从哪个子域发起的。但是，redirect_state 参数似乎需要注册为“授权重定向 URI”之一的一部分。如果没有，我得到:

Error: redirect_uri_mismatch The redirect URI in the request: http://my_server.com/complete/google-oauth2/?redirect_state=2 did not match a registered redirect URI

我想要一个不需要在授权重定向 URI 中注册每个可能的 redirect_state 值的解决方案，因为这不太容易维护。有想法吗？

Answer 1

参数的名称是state(而不是redirect_state)!

根据 Google 文档的 OAuth 请求示例是 ->

https://accounts.google.com/o/oauth2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&
state=%2Fprofile&
redirect_uri=https%3A%2F%2Foauth2-login-demo.appspot.com%2Fcode&
response_type=code&
client_id=812741506391.apps.googleusercontent.com&approval_prompt=force

请注意 State 参数和 redirect_uri 参数。我认为您混淆了两者。

编辑 - 请参阅此 link由谷歌。对状态参数和构建 Web 请求有很好的解释。