我目前已经实现了一个 NodeJs,使用xero-nodesdk 包表达 api,我遇到了一个问题,似乎没有使用 OAuth 状态参数(尽管我看到它被定义为 XeroClient 构造函数的可选参数:
export interface IXeroClientConfig {
clientId: string,
clientSecret: string,
redirectUris: string[],
scopes: string[],
state?: string
}
谁能确认这是否已实施?
我假设它会像这样工作:
const xero = new XeroClient({
clientId: xeroParams.clientId,
clientSecret: xeroParams.clientSecret,
redirectUris: [xeroParams.redirectUrl],
scopes: xeroParams.scopes.split(' '),
state: this.callback_state,
});
//then when building the consent url like this, the state param would be included
const consentUrl = await xero.buildConsentUrl();
然后,当回调被触发时,我希望能够作为查询参数之一访问state code。这里解释的内容大致
相同我已经看到返回session_state参数,但这与我提供的状态代码不匹配。
下面介绍了如何使用xero-nodeSDK 通过 OAuth 流传递状态:
https://github.com/SerKnight/xero-node-basic-app/blob/master/index.js#L37
例:
- 首先生成同意 URL,然后附加自定义参数。
app.get('/connect', async function(req, res) {
try {
let consentUrl = await xero.buildConsentUrl();
res.redirect(consentUrl + "&state=THIS_IS_A_STANDARD_OAUTH_2_STATE_PARAMETER"); // Append any type of state/params you would like
} catch (err) {
res.send("Sorry, something went wrong");
}
})
...
app.get('/callback', async function(req, res) {
let url = redirectUri + req.originalUrl;
console.log('req.query: ', req.query) // this will the the same state/params you passed to the API
// ...do api stuff..
// ref: https://github.com/XeroAPI/xero-node-oauth2-app
res.send(req.query);
})
https://github.com/SerKnight/xero-node-basic-app/blob/master/index.js#L37
值得注意的是,XeroClient 的可选state:参数是为 openidclient 的东西保留的。不要使用它。只需将其附加到同意 URL。