php - Google OAuth2: Custom Nonce Parameter Not Passed Back in Redirect - Stack Overflow

admin管理员组

文章数量:1332352

I'm working on integrating Google OAuth2 into a WordPress plugin and trying to secure the authorization flow using a custom nonce parameter. Here’s what I’ve done:

1. Generated the nonce and added it to the authorization URL using add_query_arg:

nonce = wp_create_nonce('seo_insights_auth_nonce');
$authUrl = $client->createAuthUrl();
$authUrl = add_query_arg('nonce', $nonce, $authUrl);

2. Stored the nonce in the WordPress database for validation after the callback:

update_option('seo_insights_auth_nonce', $nonce);

3. Checked the nonce on the callback:

$stored_nonce = get_option('seo_insights_auth_nonce');
$received_nonce = isset($_GET['nonce']) ? sanitize_text_field($_GET['nonce']) : '';
if (!$stored_nonce || $received_nonce !== $stored_nonce) {
    error_log("Invalid or missing nonce. Stored: $stored_nonce, Received: $received_nonce");
    return;
}

However, after Google redirects back to my plugin, the nonce parameter is missing from the URL. Here’s the authorization URL being generated:

?...&nonce=abcdef123456

And here’s the URL received after Google redirects back:

.php?page=seo-insights-settings&code=...&scope=...

What I've Tried :

• Ensuring the nonce parameter is properly added to the authorization URL.
• Logging and validating the generated nonce on both sides.
• Switching to using the state parameter for validation, as suggested in the Google OAuth2 documentation.

My Questions :

• Is Google OAuth2 designed to ignore custom parameters like nonce?
• If state is the only reliable way to pass custom data, how do I handle both state and nonce securely in this flow? Any insights or recommendations for handling this issue securely within Google OAuth2 would be greatly appreciated!

Thanks in advance!

本文标签： phpGoogle OAuth2 Custom Nonce Parameter Not Passed Back in RedirectStack Overflow