set callback path dynamically

[khoan]

AFAIK, it's currently impossible to easily set callback dynamically per call.

I propose passing callback_path transparently from request phase to callback phase. Below is a monkey patch.

Thoughts?

module OmniAuth
  module Strategies
    class OAuth2
      alias_method :original_request_phase, :request_phase
      def request_phase
        session['omniauth.callback_path'] = request.params['callback_path']
        original_request_phase
      end

      alias_method :original_callback_phase, :callback_phase
      def callback_phase
        session.delete 'omniauth.callback_path'
        original_callback_phase
      end

      def callback_path
        @callback_path ||= session['omniauth.callback_path'] || super
      end
    end
  end
end

[isaacsanders]

Do you have any ideas for adding these hooks in the strategy? I would be happy to accept a pull request.

[jcoglan]

Allowing the redirect_uri to be set from user input probably opens up account theft attacks, for example via URL fragments in 302 redirects.