I'm working on integrating Google OAuth2 into a WordPress plugin and trying to secure the authorization flow using a custom nonce parameter. Here’s what I’ve done:
1. Generated the nonce and added it to the authorization URL using add_query_arg:
nonce = wp_create_nonce('seo_insights_auth_nonce');
$authUrl = $client->createAuthUrl();
$authUrl = add_query_arg('nonce', $nonce, $authUrl);
2. Stored the nonce in the WordPress database for validation after the callback:
update_option('seo_insights_auth_nonce', $nonce);
3. Checked the nonce on the callback:
$stored_nonce = get_option('seo_insights_auth_nonce');
$received_nonce = isset($_GET['nonce']) ? sanitize_text_field($_GET['nonce']) : '';
if (!$stored_nonce || $received_nonce !== $stored_nonce) {
error_log("Invalid or missing nonce. Stored: $stored_nonce, Received: $received_nonce");
return;
}
However, after Google redirects back to my plugin, the nonce parameter is missing from the URL. Here’s the authorization URL being generated:
?...&nonce=abcdef123456
And here’s the URL received after Google redirects back:
.php?page=seo-insights-settings&code=...&scope=...
What I've Tried :
- Ensuring the nonce parameter is properly added to the authorization URL.
- Logging and validating the generated nonce on both sides.
- Switching to using the state parameter for validation, as suggested in the Google OAuth2 documentation.
My Questions :
- Is Google OAuth2 designed to ignore custom parameters like nonce?
- If state is the only reliable way to pass custom data, how do I handle both state and nonce securely in this flow? Any insights or recommendations for handling this issue securely within Google OAuth2 would be greatly appreciated!
Thanks in advance!