I’m working on a Java REST server serving an iPhone app. Now we have to integrate with third party service exposed by oauth2 protocol. This is new to me so I’ve been reading and writing some “proof of concept” code but I have a big problem or I fundamentally don’t understand something…

I made a simple web page with “log in with XXX” button that the user sees in a web view. When he clicks it, login page of the third party service opens and he can approve my app, at what time they will redirect the user to an URL I’ve specified with the authorization code as a parameter. This URL points to a REST service on my server.

The problem is that this URL must be absolutely the same as the one I’ve set up when applying my app for their service. Since I’m running a REST server I have no way of knowing about which user are we talking about when the redirection to my server happens (there is no session). I wanted to do this identification with some query or path param but they are not allowing it.

Does any of this makes sense to you or am I implementing this in a wrong way? The only possible solution I can imagine now will be with the help of cookies but I’m not really fond of that…