What if my authorization URL is dynamic?

Any dynamic values you need for your authorization process, can be passed through the process using the state parameter.

Utilizing the state parameter #

Whilst the primary reason for the state parameter is documented as preventing CSRF, it can also be used to provide customization to your OAuth flow.

Rather than dedicating the state parameter entirely to CSRF, it is common for the parameter to be a JSON string, which is then encrypted using an algorithm, for example, SHA256:

    "csrf": "random-string",
    "customer_id": "1234-abcd",
    "return_path": "/settings/dashboard"

Will then become;


When you receive the request at the end of the OAuth process, the state parameter can be decrypted and the various values within it used as necessary. The encryption ensures that users cannot tamper with the contents and so you can be confident the values within it can be trusted.

Adding additional URIs for your application #

We can add additional URIs to your applications allowed list upon request. To do this, please email these addresses, along with your client_id, to support@cronofy.com.