question

aminyazdani avatar image
aminyazdani asked twinmind commented

OAuth Flow: state variable not passed back with token the first time, but it works the second time.

We are implementing OAuth flow, and we have one issue. When we initiate the oauth flow, we pass a state variable to Clover. We expect that state variable to be there when we receive the token, but the first time a merchant approves the access, the state token is not passed to us.
It will work the second time though.

Any ideas what is the issue or how we can resolve this?
OAuthAPI TokenMerchant
2 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Frank Faustino avatar image Frank Faustino ♦♦ commented ·

Just to clarify, do you mean after the app is installed on the merchant's account for the first time?

1 Like 1 ·
aminyazdani avatar image aminyazdani Frank Faustino ♦♦ commented ·

@Frank Faustino. Yes. That's exactly what I mean.

0 Likes 0 ·

1 Answer

Frank Faustino avatar image
Frank Faustino Deactivated answered twinmind commented

Make sure the app has been installed on your merchant's account first before attempting the OAuth flow. If the OAuth flow is interrupted by having to install the app on your merchant's account, the state field in the OAuth response is lost.

2 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dbaskin avatar image dbaskin commented ·

Could this be reopened and treated as a bug? This seems like a bug in Clover's implementation of the OAuth protocol. Here is the OAuth RFC reference: https://tools.ietf.org/html/rfc6749#page-25. Is there some technical reason why the user must go through 2 separate flows to install the app and then separately do OAuth instead of being able to do both together? All that is required is passing the state variable back to the caller as is customary.

1 Like 1 ·
twinmind avatar image twinmind commented ·

This is definitely inconvenient that state parameter is lost when app isn't installed yet by a merchant and merchant gets redirected to marketplace page, i.e this https://sandbox.dev.clover.com/oauth/authorize?client_id={MY_APP_ID}&state={MY_STATE} redirects here https://sandbox.dev.clover.com/appmarket/m/{MERCHANT_ID}/apps/{MY_APP_ID}/?merchant_id={MERCHANT_ID}&state={MY_STATE} and preserves the state, but when you click Connect button there the oauth callback is being called without state query parameter. This means that user would get back to my app but I can't match this user to his account in my app because the state is lost, so I would ask user to reconnect again and only then it'll work.

0 Likes 0 ·

Welcome to the
Clover Developer Community