OAuth Authentication Code Flow: change variable name in authenticated response URL containing code from "code" to something else

  • 1
  • Question
  • Updated 1 year ago
  • Answered
I am building a RingCentral application on a server that for security purposes will not take any POST/GET variables other than a specified one.  When I try to authenticate, the response url which contains the code as a query string variable with the variable name "code", causes my server to stop the script from running.  I would like to change the variable name in the response url that contains the authorization code.  Is this possible? Can it be done using response_type?  RingCentral specifies on the API that response_type must be set to "code" so I'm not sure.  Any advice would be highly appreciated.
Photo of Sachal Malick

Sachal Malick

  • 110 Points 100 badge 2x thumb

Posted 1 year ago

  • 1
Photo of John Wang

John Wang, Official Rep

  • 5,622 Points 5k badge 2x thumb
The parameter named "code" is a required field in the OAuth 2.0 standard, IETF RFC 6749, so it is commonly used and accepted.

https://tools.ietf.org/html/rfc6749#section-4.1.2

The behavior of your server sounds odd. Is this logic part of your own application code or a framework you are using? Do you know why it does this and whether the logic be changed?
(Edited)
Photo of Sachal Malick

Sachal Malick

  • 110 Points 100 badge 2x thumb
The logic is part of a framework I am using and it cannot be changed.  I imagine it is to protect the server from attacks hidden in GET/POST requests.
What are my options?
Photo of John Wang

John Wang, Official Rep

  • 5,236 Points 5k badge 2x thumb
What framework to you use? I'm curious if others will run into this same issue.

One option you can use is to redirect to a server on a different hostname and then retrieve the authorization code from the URL on the client-side. You can then exchange the authorization code for an access token on the browser side or possibly send then auth code to the server to do the exchange (so the access token isn't exposed on the browser).

For example, if you wanted to, you could set up a free Github pages website say, https://myuser.github.io and redirect there to have the browser end up with https://myuser.github.io?code=rc_auth_code, then use the browser client-side JS to extract the code and then use it either in the browser to get an access token or possibly transfer to your server to do the exchange.

You can see a demo of client-side processing in the "public/index.html" page client-side JS code here:

https://github.com/ringcentral/ringcentral-demos-oauth/tree/master/javascript
(Edited)
Photo of Sachal Malick

Sachal Malick

  • 110 Points 100 badge 2x thumb
Hi John,

Thanks for your reply.  That is the solution I ended up going with thought i was hoping to avoid it.
You can follow up with me at sachal.malick@studyswap.org if you're curious about my app.
Photo of John Wang

John Wang, Official Rep

  • 5,236 Points 5k badge 2x thumb
Your site looks very interesting and I will certainly take you up on your offer.

Regarding hosting a separate service for the callback, some services will allow hosting the callback on their own domain so we can look into that as well.