6

I have incorporated Satellizer into my app with a variety of social login providers (Facebook, Twitter, Google). My stack consists of: AngularJS (UI Router) and NodeJS/Express.

I seem to be encountering a challenge setting up dynamic callback URLs for user authentication. My app does not have a consistent login URL such as http://example.com/login because all of my URLs are dynamic and token based, for example: http://example.com/XH12aT1771. In effect, my login user experience is a modal overlay and there isn't any consistent login page.

The challenge with my system in integrating with OAuth is after logging the user into my app via the modal overlay, I want to put them back in the exact room (or token) they're in, not redirect them to some callback URL page as this would be a poor user experience.

Is the only way to make my OAuth callback url hardcoded, something like: http://example.com/success and then redirect the user back to their token after they hit the /success page? Is this really the only way to do such a thing?

Let me know if you need any more question details, thanks for the help.

Matt
  • 2,317
  • 7
  • 41
  • 52
  • I have used 3rd party oauth 2 for some applications, but never found the need to create static callback urls. It should only match the base url (ie. http://example.com/) and should not bother about what is written after that. – Kop4lyf Nov 20 '14 at 09:54
  • have you tried setting it to http://localhost? – Linda Lawton - DaImTo Nov 24 '14 at 14:08
  • 1
    Callback URL is usually hardcoded to a specific path. Maybe you could try having them hit your token route and then reroute them to the callback URL? I stick to http://passportjs.org/ in my node.js apps so not sure what's possible. – cchamberlain Nov 25 '14 at 00:02

4 Answers4

1

I would not know about the options that Sattelizer gives you, and it would also depend on the options supported by the Authorization Server (AS), but:

From a security perspective it is advisable to use a fixed callback URL anyway to prevent some of the attacks that may happen because of either broken/sloppy URL matching on the AS side, or accidental token leakage to 3rd parties on the RP side because of embedded images/iframes on pages that do not consume the token etc.

So regardless of whether there's another way, it would be good security practice to use a fixed callback URL anyway and you can (hopefully) associate the original URL with the state parameter that gets sent out or put it in a cookie and restore it after consuming the token on the callback URL.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
1

I am not familiar with Satellizer, but I have built a dynamic url based oauth callback structure. 

$callback_url = Configure::read('Your.base') . 'connect/provider/signin/' . $invite_code;

We oAuth off a unique URL, which puts someone in a specific room.

Brian Mains
  • 50,520
  • 35
  • 148
  • 257
Andrew Kennedy
  • 11
  • 2
1

I am not familiar with Satelizer, but after a short read, there seems to be a possibility to configure the callback url after login.

// Google
$authProvider.google({
  url: '/auth/google',
  authorizationEndpoint: 'https://accounts.google.com/o/oauth2/auth',
  redirectUri: window.location.origin || window.location.protocol + '//' + window.location.host,
  scope: ['profile', 'email'];
  scopePrefix: 'openid';
  scopeDelimiter: ' ',
  requiredUrlParams: ['scope'],
  optionalUrlParams: ['display'],
  display: 'popup',
  type: '2.0',
  popupOptions: { width: 452, height: 633 }
});

Here they configure the redirect uri directly to the location, the user is currently at. See Satelizer Configuration

Isn't this the thing you are looking for?

kfis
  • 4,739
  • 22
  • 19
0

Seems like the answer should be either what kfis said or -

$authProvider.loginRedirect = '/'; // Change this relative path

per - Satellizer

cchamberlain
  • 17,444
  • 7
  • 59
  • 72