Google/OAuth Passing State
I'm implementing an invite type system, where the user can join a team with an invite code. This all works with the normal password flow (I added the invite code as an argument to the action) with a custom change to read the argument, but I'm not quite sure how to get that invite code through the various redirects for google/oauth flows, so it gets added to the google registration action as an argument.
Previously in other tools and languages I've passed state back and forth through as query params on the redirect_url or state. Is there any mechanism for that with the existing strategies? I want to support both invite code and no invite codes based on the registration url.
So far, I've been able to work around this by utilizing the secrets module for building up the
authorization_params. If I add a state keyword, then it gets forwarded to Assent (though that is deprecated) and passed through the flow. So far, that works for passing the state back and forth between redirects! I can pass the invite code back and forth in the state (though I think I'll also want to include a nonce, and Assent will verify it).
However, I'm not sure now how to get that state/invite code back to the action.
Any suggestions on where to start?2 Replies
I think the way I would do it would be to store that state in the user's session and pop it out again after registration. You can always put a plug/pipeline before the auth routes for that.
That’s a good idea and won’t require changes to Ash Auth internals (though I think a way to set/pop auth state could be helpful).
I think I’d need custom auth controllers in order to put that state into the Ash context for my user action, though, since I’ll need to control the request/callback phase. I’ll try and work through that tonight.