Interrupted OAuth flow hijacks future requests (auth_callback_method) #49

canavese opened this Issue Dec 20, 2010 · 1 comment


None yet

1 participant

We're seeing a problem case where a user initiates the OAuth flow and the session gets populated with auth_callback_method set to POST. Something keeps the full flow from completing (we're doing this on mobile phones, so that's not unlikely). So the user is back navigating the rest of our application with that parameter still stuck in the session.

As long as they try to hit URLs that do not work with POST, the Authlogic Connect code will continue to turn the requests into POSTs and result in 404s. It seems like the auth_callback_method handling should be restricted to particular URLs.

I'm trying to fix this myself, since it's a significant issue for the app I'm working on.

It seems like the "right" way to fix this would be for the CallbackFilter to compare the current path with auth_callback_url. If they match, then the request can be changed to use auth_callback_method. If it does not match, then the session should probably be cleared of all Authlogic Connect parameters. Does that sound right?

The problem I am having is that there doesn't seem to be a good way for the CallbackFilter to determine what auth_callback_url is. Any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment