By eason

2011-10-11 06:17:10 8 Comments

How to add a parameters to the google oauth2 redirect_uri?

Just like this redirect_uri=

The b of a=b is random.

Anyone can help ?


@DhruvPathak 2011-10-11 06:22:35

  1. You cannot add anything to the redirect uri, redirect uri is constant as set in the app settings of Oauth. eg :

  2. To pass several parameters to your redirect uri, have them stored in state parameter before calling Oauth url, the url after authorization will send the same parameters to your redirect uri as state=THE_STATE_PARAMETERS

So for your case,do this:

/1. create a json string of your parameters ->

{ "a" : "b" , "c" : 1 }

/2. do a base64UrlEncode , to make it URL safe ->

stateString = base64UrlEncode('{ "a" : "b" , "c" : 1 }');

This is a PHP example of base64UrlEncoding & decoding ( :

function base64UrlEncode($inputStr)
    return strtr(base64_encode($inputStr), '+/=', '-_,');

function base64UrlDecode($inputStr)
    return base64_decode(strtr($inputStr, '-_,', '+/='));

So now state would be something like: stateString -> asawerwerwfgsg,

Pass this state in OAuth authorization URL:

For server side flow it will come along with token :,

For client side flow it will come in the hash along with access token:,

Retrieve the state, base64UrlDecode it, json_decode it, and you have your data.

See more about google OAuth 2 here:

@ricosrealm 2013-06-02 02:00:14

base64 is used to obfuscate the data as well as url encode it, if you would need a little bit of extra 'security' through obscurity.

@ericsicons 2015-01-25 06:48:23

@DhruvPathak perfect, I needed to send a custom parameter back with linkedin API redirect and it's same method you described.

@Empty 2015-03-19 19:02:18

is accessing the query params and token and response data being visible in the url in the first place ok?

@DhruvPathak 2015-03-20 08:49:13

Phoebe, the token present in the url is not the final access token, it needs to be exchanged for an access token using OAuth apis along with app secret keys.

@SsjCosty 2015-05-20 13:45:16

I tried this suggestion, but for some reason my state always comes back truncated from Google... Any idea why?

@Ven 2016-01-24 17:31:25

@SsjCosty same here, and I have no idea how to fix that :|.

@Rahim 2017-02-23 07:41:04

The state parameter is used to prevent CSRF attacks during the OAuth flow. You have to set a token in the state parameter when initiating the flow and you should check if you get back the same token in the state parameter when your redirect_uri is hit. Don't do what is done in this answer. A session based solution is probably what you should look at.

@hellboy 2017-04-11 11:31:15

How can I use state param to pass several parameters to redirect uri and to prevent CSRF attack at the same time ?

@Krishna38 2018-05-07 10:47:54

Hi @DhruvPathak, while setting up the state parameter, the value is changed after authentication. Could you please suggest on this

@Kevin Etore 2018-05-07 21:40:15

@hellboy I'm wondering the same thing. Did you manage to add several parameters to the state param (custom values and prevent CSRF attacks)?

@bgraves 2018-12-19 10:33:12

Have a look at… if you work with Spring Social!

@Kiran 2014-09-24 10:28:32

You can redirect parameter with url as below,

When you get response from google than you can pass parameter with url,

See below php code for same,

if (isset($_GET['code'])) {
   $_SESSION['token'] = $client->getAccessToken();
   $redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
   header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL) . '?r=page/view');


In above example r=page/view is parameter on which i want the response with parameter

@lol 2015-01-02 15:01:49

This is where the state parameter is sent in the google provided PHP code. There are three requests made server side. This means that the final request won't have any query string variables at all.

@Jayant Varshney 2018-04-04 13:41:16

works like a charm! I know we can send information in the state param but if application is expecting any value directly as the request param, then it fails. The method you have provided is perfect for this scenario. Thanks!

@rufo 2012-07-14 11:01:14

If you are in .NET you could save the parameters in the Session


and redirect to the authorization page without parameters


@spender 2014-01-30 16:32:48

This does not scale when using a webfarm such as azure.

@rufo 2014-01-30 19:20:01

@spender: so you imply that two requests almost in sequence from the same client might be handled by different servers in the webfarm. If that's the case, this is not the only thing affected, basically Session variable couldn't be used in that scenario for anything. BTW: I am not arguing - actually trying to learn here.

@spender 2014-01-31 02:12:52

It's entirely possible, yes... You can mitigate this by managing session with a session server or backing session off to the database (see, or to enable sticky sessions on your load-balancer to ensure that clients always return to the same webserver node. All of the options I've mentioned are a PITA to set up, so IMO, storing any client state in Session should be avoided.

Related Questions

Sponsored Content

4 Answered Questions

[SOLVED] Why do access tokens expire?

2 Answered Questions

AngularJS and Google OAuth2 redirect_uri

2 Answered Questions

Amazon Skill register oauth missing redirect_uri

1 Answered Questions

1 Answered Questions

OAuth2 variable redirect_uri

  • 2013-07-13 01:18:29
  • Brian Armstrong
  • 1564 View
  • 2 Score
  • 1 Answer
  • Tags:   oauth oauth-2.0

Sponsored Content