I’m Using OAuth2 with Doorkeeper to protect my API. The problem is that one

Question

0

Editorial Team

Asked: June 14, 20262026-06-14T03:22:04+00:00 2026-06-14T03:22:04+00:00

I’m Using OAuth2 with Doorkeeper to protect my API. The problem is that one

0

I’m Using OAuth2 with Doorkeeper to protect my API.

The problem is that one client had several different flows in which he redirects users to my OAuth flow.

He would like to dynamically add some parameters when redirecting the user to my OAuth flow and get these parameters back when I’m calling his callback URL. This way he will be able to tell from which flow this callback originated.

Is this possible with OAuth 2? with Doorkeeper? How?

Edit:

Thanks Zólyomi István for your hint.
I set the state parameter before calling the auth endpoint and got it back in the callback. However, I found that I get back a state parameter with some apparently random string even if I don’t set anything. Any idea what it is? I’d like to be sure I’m not messing up anything…

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-14T03:22:05+00:00

Well, using the state parameter was indeed the solution. Just adding state to the request and then getting it back when the control is returned to my code.
According to the specification:

The state parameter is used to link requests and callbacks to prevent
CSRF attacks where an attacker authorizes access to his own resources
and then tricks a users into following a edirect with the attacker’s
token.

Apparently ominauth oauth 2 assigns random value to this parameter unless it’s used in order to detect CSRF attacks.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m Using OAuth2 with Doorkeeper to protect my API. The problem is that one

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply