Envato API dynamic redirect url possible?

if try to make redirect dynamic here i get error …is it possible to do?
https://api.envato.com/authorization?response_type=code&client_id= [CLIENT ID] &redirect_uri= **[REDIRECT URI]

{“error”:“invalid_request”,“error_description”:“Wrong RedirectUri provided”}

What I do is use my own site as a middleware. I send them to my site with the redirection url, set a cookie containing the redirect url, and send them off to Envato for OAuth. Then they get redirected back to my site which sees the cookie and acts accordingly.

1 Like

Hi @latheeshvmv,

I’m guessing by dynamic redirect you want to pass extra parameters to the redirect URI. This is indeed possible, as long as the confirmation URL you provided when you created the app already contains a parameter.

Here’s an example:

  1. Create an app that uses the following confirmation URL:
    https://example.com/redirect_handler?param=foo

  2. Generate an authorization code request URL that passes an extra parameter (state in this case):
    https://api.envato.com/authorization?response_type=code&client_id=your-client-id-here&redirect_uri=https://example.com/redirect_handler?param=foo&state=abc123

  3. Once the user grants the permissions, they get redirected to the following URL:
    https://example.com/redirect_handler?param=foo&code=temporary-code-value-here&state=abc123

You can pass whatever values you like in the state parameter used in this example. To make this work, ensure the confirmation URI you provide when creating the app contains a URL parameter (param=foo in this case).

Alternatively, you can do as @baileyherbert suggests and use a cookie or other persistence mechanism.

2 Likes

@baileyherbert @rosssimpson Thanks for answer :), i have a doubt like this .if i am going for this method(api) ,my website will stand in between api and user website . So that makes

  1. Me responsible for securely saving the data
  2. What if my website stop working for some reason. user wont be able to update the theme.
  3. Does n’t it make the earlier method more secure and better method than new api?

Please let me know your suggestions

@rosssimpson Sorry for not explaining my question in detail. I tried to have a different url …example.com changes based on the user’s website …
But i was not aware of this technique of passing extra parameters , thanks for the info .That’s really usefull ! . Let me try something with it…got some ideas :slight_smile:

Hi @latheeshvmv,

Thanks for explaining in more detail. Due to the security model of oauth apps, there can be only the one redirect URI per app. However, using the state parameter technique I mentioned you can handle multiple clients with a single app.

Regarding your security questions, the short answer is yes – as your website becomes a component in the critical path of theme activation/updates, it needs to store data securely and be engineered for resiliency. The previous API we used was actually much less secure, as it placed security tokens in the URL and didn’t always use secure transport mechanisms.

If you want to provide registration/ticketing/update/etc. functionality to verified buyers, using the API as described here and in the other post is the best approach we have.

@rosssimpson Thanks for explanation . Is it a good idea to save the details to user’s website instead of my website standing in between? I have not tested it

as you have explained it is possible to have dynamic redirect with extra parameters… what if i pass the user website url and redirect to my website (process the website and data there) and redirect to user’s website again with code and save the purchase details in user’s database?