How to include additional parameters in the authorization URL

Hello all,

I am trying to include additional parameters in my authorization URL and then access them in my backend lambda function. Below is what I have


const clientId = 'eb417d75-cf9d-4b91-9c78-707b396d7ff7';
const redirectUri = 'https://xxxxxx.com/dev/redirect_uri';
const scopes = 'core::'; /

// Additional parameters if needed
const additionalParams = {
param1: 'value1',
param2: 'value2',
};

// Construct the query string manually to avoid incorrect encoding
const queryParams = new URLSearchParams({
response_type: 'code',
client_id: clientId,
redirect_uri: redirectUri,
scope: scopes,
...additionalParams,
}).toString();


1. const d2lAuthorizationUrl = https://auth.brightspace.com/oauth2/auth?${queryParams};


2. const d2lAuthorizationUrl = https://auth.brightspace.com/oauth2/auth?response_type=code&client_id=${clientId}&redirect_uri=${encodeURIComponent(redirectUri)}&scope=${encodeURIComponent(scopes)}&param1=value1&param2=value2;

window.location.href = d2lAuthorizationUrl;

In both the scenarios I am able to get the authorization code but not the additional params(undefined)

const authorizationCode = event.queryStringParameters.code; const param1 = queryStringParameters.param1;
const param2 = queryStringParameters.param2;

Is it possible to send additional parameters along with my authorizationUrl ?? If yes please guide me here.

Thanks

Aravind

Tagged:

Answers

  • Viktor.H.147
    Viktor.H.147 Posts: 47

    Hey Aravind,

    Note (with reference to RFC 6749, Section 4.1.1) that you may not pass arbitrary query parameters on the Authorization Request. If you have a need to round-trip state through the Authorization workflow, then you can use the state query parameter as described in Section 4.1.1 (which D2L's Authorization Server does support). You should be aware, of course, that the contents of the query string of the request do go through the user's browser and are therefore subject to inspection/tampering — as a result, you may want to take steps to either make your state data unpredictable, or perhaps armoured with a signature (but those are both topics that are outside the current scope of this discussion).