oAuth2 callbacks should have a state variable within them to verify the callback.
/?state=xyz&code=123However, when we click the "Add to Glip" button no state is passed. The callback URL looks like this:
code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321Another problem is that as the callback does not occur in user's browser, we lost all kind of cookies/sessions. We have no idea who is the user clicking the "Add to Glip" button.