answered
2017-10-14 01:12:08 +0200
The redirect url in OAuth2 is there to make sure that after the resource owner (user, RO) has successfully authenticated to the authorization server (AS), the AS redirects the browser to this URL with a query parameter containing the token. The idea is that after you register your redirect uri (that is really in your control) in the AS, then your app should watch out for this browser redirect to this exact uri and extract the token from the query parameter when the request comes to it.
In other words, the redirect from the browser (view) has to come to your app specifically and none other. That is why you have to register it. It makes full sense when you have a server app. Then you have control over an URL, you get a request to that URL with the token in a parameter, your implementation then extracts it and you are fine.
It is much more tricky when you have a mobile client app.
This was the theory.
Update.
Looked a bit futher, and here is what pycage mentioned in a relevant discussion:
having the SilicaWebview watch the uri
property and react to it in the
onUriChanged signal handler, if the
redirect_uri matches the one I'm
expecting.
https://lists.sailfishos.org/pipermail/devel/2014-February/003425.html
And here is the code:
https://github.com/pycage/cargodock/blob/dd4dbb32c05922cf713eeb49416d2aa3526fe95f/src/dropboxapi/dropboxapi.cpp
My position is that using a WebView is not at all a good OAuth2 practice. Instead a normal browser should be used (as Android has now implemented and enforced) but I do not think there is app support for handling the redirect in a browser in SailfishOS. So... :)
