I have an app that allows a user to associate their social media accounts with their Meteor account using OAuth2 calls to the social media site’s public API. In most cases I can append the Meteor account ID to the OAuth2 redirect_uri as a query parameter like this:
redirect_uri : 'https://mydomain.com/callback/facebook?accountId=12345'
and the accountId will be returned in the OAuth response. However, I have one social media site that doesn’t allow query parameters on the redirect_uri. I’ve tried other places in the call to stash the accountId like an x-header or embedded in the user-agent, but nothing seems to work. Service side session variables require the accountId to access and cookies are client side. Since the OAuth callback doesn’t come back to the same thread/fiber there doesn’t appear to be a solution to this without the OAuth callback including some unique and predictable value.
The only thing I’ve been able to come up with is to include the accountId in my app’s URL for the page. Then it would come back to me in the referrer. But that exposes the accountId to the user which may not be a big deal since it can always be found with the debugger.
Anyone have any other solutions that I’ve overlooked or comments on the idea of adding the accountId to the page URL.
Just to clarify what I’m trying to do. I am not trying to use 3rd party social media sites as alternative login sources to my app (ie, not “Login in with Facebook”). I’m after the OAuth access token so the app can view the user’s last tweet or FB post. So the existing Meteor social media login extensions are of no use to me.