A modern programming language that makes developers happier.

kotlinlang

Hi team, I have an OAuth/authentication *best practices* question. In my app, I have a few pages that need to be OAuth authenticated. On each of these pages, I check for the user session first and redirect to login (“/login” is the one under `authenticate("auth-oauth-google")`):
```val userSession: UserSession = call.sessions.get() ?: return@get call.respondRedirect("/login")```
But as a result of successful authentication, I redirect to one of my pages:
```            get("/auth/callback") {
                val principal: OAuthAccessTokenResponse.OAuth2? = call.authentication.principal()
                call.sessions.set(UserSession(principal?.accessToken.toString()))
                call.respondRedirect("/status")
            }```
It worked fine when I had only one page under OAuth. But for multiple, how do I redirect *to the one that invoked the OAuth flow*? I’d like to avoid having a “landing” page that requires OAuth - my users most probably will use links/bookmarks to go to specific pages.

<https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/#per-request>

How do I pass state?
```return@get call.respondRedirect("/login?state=page1")```
does not seem to work

<https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1> <https://www.rfc-editor.org/rfc/rfc6749#section-10.12>

To pass the state you can override the `NonceManager` :
```providerLookup = {
    OAuthServerSettings.OAuth2ServerSettings(
        // ...
        nonceManager = object : NonceManager {
            override suspend fun newNonce(): String {
                return request.uri
            }

            override suspend fun verifyNonce(nonce: String): Boolean {
                return true // Implement verification here
            }

        }
    )
}

// ...

get("/callback") {
    val page = call.parameters["state"]
    // ...
}```