-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using AuthorizationCodeWebApp class in .NET8 WebApi #2856
Comments
@amanda-tarafa should be able to help you tomorrow. |
The redirect URI you pass to Once you have obtained a State is not a URI in your application that Google will redirect the user to. State is whatever you need it to be so you can propagate information during the authenticaiton process. As I said earlier, this may be used to pass the original URI the user requested and/or the user identifier, etc. |
@amanda-tarafa Thank you for your response. I will try it on weekend and give you a feedback. |
@amanda-tarafa I tested your suggestions and here are my findings. The call of the I also noticed that the google-api-dotnet-client/Src/Support/Google.Apis.Auth/OAuth2/Web/AuthorizationCodeWebApp.cs Lines 113 to 120 in a598168
Is that intentional? When yes, why? And how can I obtain the original data? As the string is random length I can not just strip the end of the string. Thank you for your help. |
The documentation is not specific about which URIs may be passed for code exchange beyond the fact that they need to be allowlisted for your client ID. But yes, it's usual to pass the same URI. I cannot say with certainty that's because the URI is encoded in the authorization code or that the Auth service can map the code with the URI, etc. nor that it will happen for all cases. Maybe the OAuth team can give you a better answer, you can find their support channels at the bottom of the documentation link above. The random number added will always have var random = new Random().Next(int.Parse(rndString)).ToString("D" + StateRandomLength); This is a primitive means to allow you to match a code authorization request with it's specific callback, if you need to do so. There's a TODO in the code to allow deactivating the addition of this random number, we might look into that at some point, but I can't give an ETA at the moment. For the time being, you can confidently remove the last Let me know if you have more questions. |
@akordowski I'll be closing this issue as I believe I've replied to all your questions and things are now working. Leave a new comment is you believe otherwise. |
@amanda-tarafa Thank you for the explanation, that helped me a lot.
I was confused by the name of the property and thought that the lenght of the state is random. As it is 8 chars in length, so I can just cut it from the end.
Any interest for a PR regarding this TODO? Thank you for your help! |
If you are up for a potentially slow review and back and forth, thent that's fine. We are somewhat busy at the moment. Also, consider that we wouldn't accept a breaking change for this, nor "weirdness" around flow creation, etc. Maybe draft a PR in terms of how the change will affect the library public surface, and when we have that pinned down you can work on implementation and tests. |
Ok, will see if I can spare some time ;) Thank you. |
I would like to pick up on the issue #2826. I am trying for days to figure out how to use the
AuthorizationCodeWebApp
class in a .NET 8 WebApi. I couldn't find any example so far, so I really hope any one can help on this. Here the code I have so far:The
Redirect()
method is called withhttps://localhost:7187/YouTube/Redirect?state=https://localhost:7187/YouTube/State00801791&code=...&scope=https://www.googleapis.com/auth/youtube.readonly
. The statehttps://localhost:7187/YouTube/State00801791
is also stored in theDataStore
. But I have no idea how to use it. I tried to call_flow.ExchangeCodeForTokenAsync()
but it throws an exception with the messageTokenResponseException: Error:"redirect_uri_mismatch", Description:"Bad Request", Uri:""
. Is that event the way to go?The API has a own authentication provider. The authorization on Google should be rather a delegate authorization just for the services to use, not the API itself.
Can anyone provide an example how to proceed or give an hint at least? Any help is much appreciated! Thanks in advance.
The text was updated successfully, but these errors were encountered: