Support oauth_callback during request for an unathorised request token
Allow a oauth_callback URL to be specified for each call to authenticate rather than a single URL location for the entire application.
-
Dumitru Lungu commented
Is support for oauth_callback still under development? It doesn't work as of Feb 2011. The callback parameter is totally ignored.
-
Kristof commented
I am currently developing an application which should run on a number of different domains for different clients.
Having oauth_callback supported would yield these benefits in my scenario:
1.) less possibility to enter something wrong
2.) as an additional security measure the application tags all links with a key. This is validated before information is entered into the system. Ideally I would be able to pass this dynamic parameter into Xero so it comes back to the callback function. -
abhinav commented
I agree with the need for callback URL specification during each authentication workflow. i am working with the use case of applications running on a multi-tennant architecture where said application may run upon any number of subdomains within a root domain. If you're very keen to police callback specification, then suggest that you allow specification of root domain during creation of consumer key/secret and this in turn allows one to specify callback URLs of any subdomain of this root domain. Thoughts?
-
Phillip Haines commented
Hi Owen, Yes I think that would work, we might also need a parameter on the URL so if we have a predefined of https://examples.com/xero/oauth would it be possible to use a callback url of https://tenant.example.com/xero/oauth?cid=123 ?
-
owenevans commented
Thanks, that makes a lot of sense.
We may go down the route of validating to a root url and allowing oauth_callbacks to sub domains, would this suit you?
-
Phillip Haines commented
Hi Owen, We use a different sub domain for each tenant of our system. With a single URL would no longer be able to use cookies to attach the user back to the correct session and complete a signup process with no additional plumbing.
Without looking into in more detail I believe we would need to store the state of the incomplete authentication process in the database and use the authentication URL to produce an extra redirect back to the correct subdomain to complete the authentication.
-
owenevans commented
could you give an example of a use case for this? we've put this on an application level to ensure we can vet the urls to a certain extent.