Don't include incoming querystring in Dropbox Business callback_url #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Unlike most providers, the Dropbox Business (and Dropbox consumer) API
require the callback_url to exactly match what is configured in their
web UI, including any querystring values. By default, OmniAuth appends any
incoming querystrings to the callback_url being sent the the
provider.
This means that if your app begins auths with something like:
/auth/dropbox_oauth2?auth_version=v2,
Your callback_url becomes:
/auth/dropbox_oauth2/callback?auth_version=v2
This doesn't exact match Dropbox Business' overly strict requirements
for this URL:
/auth/dropbox_oauth2/callback
The fix is for this provider to override callback_url so that the
querystring is not appended automatically.
There is a long-going disucssion to see whether this should be fixed
in omniauth-oauth2 or within each affected provider strategy:
omniauth/omniauth-oauth2#93
It's not super clear, but the consensus seems to be that this behavior
should be accounted for in the strategy.
Here's the similar issue for Dropbox (consumer):
icoretech/omniauth-dropbox2#2
Unmerged PR in the consumer library:
icoretech/omniauth-dropbox2#2