• Ask the Community

  • OAUTH - Authorization URL "state" parameter is too long

Hi!

I'm building an OAUTH authorization flow initiated from a Google platform. In the authorization URL Google passes along a very long "state" parameter (500+ char) in the URL, yielding a "verbinding niet gevonden"/'connection not found' error from Bunq.

If I shorten the length of the 'state' parameter, there is no error on Bunq' side. But since Google is using the 'state' parameter as a bookmarking value, they do not allow for any alterations. There seems to be no way to resolve this issue on my side.

Is there a maximum length of the "state" parameter on Bunq' side? And is this working as designed?

    Hi Jan!

    I was looking into the oAuth documentation and stumbled on "The allowed length for state is not unlimited.". So, there is unfortunately no maximum length defined. bunq limits the state parameter to a maximum of 255 characters. Is there a way you can define the state value by yourself on that Google platform?

      Hi Andre! Thanks for your help. Could you share where you found this? Is that the Auth0 documentation you're referring to? The Bunq documentation refers to the OAuth 2.0 documentation, where I cannot find a mention of a maximum length.

      Indeed I'm not able to alter/shorten this value myself. Google uses this to authenticate the response from the server.

        correct, found the doc on https://auth0.com/docs/protocols/oauth2/oauth-state.

        I am wondering why google is using so many characters for the 'state' parameter. Normally it's just an unique token to identify the call. which service do you use from google? lest see if we can find a workaround.

          A quick update, from 26th of January 2019 the allowed length of the 'state' parameter will be 2048 characters (instead of 255 what it is right now). We will update the public api documentation accordingly. Happy coding!

            @Andre3000#54826 Hi Andre, thanks for looking into this and getting it on the roadmap (and so fast)! This is why I love Bunq. :)

              21 days later

              @Andre3000#54826 Hi Andre, thanks for helping out! The "state" parameter Google is sending is accepted.

              But I'm running into another problem in the next step: the Token Exchange. Bunq requires the "redirect_uri" parameter in the POST call to https://api.oauth.bunq.com/v1/token

              Google does not supply a "redirect_uri", leading to: "Missing required GET parameter /"redirect uri/"."

              Is this a hard requirement from Bunq, or can the "redirect_uri" parameter be made optional?

                @Jan-Magenta-Dolphin#60498 Are you sure that isn't possible? It is fairly common for OAuth implementations to require that parameter to be there including Google's own OAuth API :p

                  Write a Reply...