Just to clarify, do you mean after the app is installed on the merchant's account for the first time?
Make sure the app has been installed on your merchant's account first before attempting the OAuth flow. If the OAuth flow is interrupted by having to install the app on your merchant's account, the state field in the OAuth response is lost.
Could this be reopened and treated as a bug? This seems like a bug in Clover's implementation of the OAuth protocol. Here is the OAuth RFC reference: https://tools.ietf.org/html/rfc6749#page-25. Is there some technical reason why the user must go through 2 separate flows to install the app and then separately do OAuth instead of being able to do both together? All that is required is passing the state variable back to the caller as is customary.
This is definitely inconvenient that state parameter is lost when app isn't installed yet by a merchant and merchant gets redirected to marketplace page, i.e this https://sandbox.dev.clover.com/oauth/authorize?client_id={MY_APP_ID}&state={MY_STATE} redirects here https://sandbox.dev.clover.com/appmarket/m/{MERCHANT_ID}/apps/{MY_APP_ID}/?merchant_id={MERCHANT_ID}&state={MY_STATE} and preserves the state, but when you click Connect button there the oauth callback is being called without state query parameter. This means that user would get back to my app but I can't match this user to his account in my app because the state is lost, so I would ask user to reconnect again and only then it'll work.
4 People are following this question.
