How to Redirect to Multiple URLs

When you register an OAuth client app that uses the Authorization Code (3-legged OAuth) flow, you are limited to registering a maximum of five Redirect URLs. Indeed limits the number of redirect URLs to follow current security best-practices for OAuth apps.

But what if you need to redirect a user to more than five URLs? What if you need to redirect a user to dozens, hundreds, or even thousands of different destinations? If you need to dynamically redirect a user to multiple URLs, then you should take advantage of the OAuth state parameter.

You can add a state parameter to your authorize link, like this:

https://secure.indeed.com/oauth/v2/authorize?client_id=6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&response_type=code&scope=email+offline_access+employer_access&state=AnyValue

After the Indeed user completes the Authorization Code (3-legged OAuth) flow, we return the value of the state parameter in your redirect URL:

GET http://www.acerecruitersllc.com/oauth/indeed?code=rXZSMNyYQHQ&state=AnyValue

The state parameter can contain any value including a URL. If you want to pass a URL with the state parameter, such as, https://somesite.com then ensure that you URL encode it, like this:

https://secure.indeed.com/oauth/v2/authorize?client_id=6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&response_type=code&scope=email+offline_access+employer_access&state=https%3A%2F%2Fsomesite.com

When the Indeed user is redirected back to your app, you can use the value of the state parameter to redirect the user to another destination such as https://somesite.com.

Don't Expose the Authorization Code in the Referer Header

If you redirect a user to an untrusted website, then you reveal the OAuth authorization code in the HTTP referer header. The HTTP referer header passes the previous URL that requested a page.

Note: The word “referer” is misspelled in the HTTP referer specification.

The danger with using the state parameter is there is a risk that you will unintentionally expose the authorization code to the website represented by the state parameter. That website likely logs the authorization code in its website logs.

To prevent the authorization code from leaking, we recommend that you perform a redirect to yet another page. You can redirect the user to another trusted page in your app before redirecting them to the untrusted app. The HTTP referer header only reveals the previous URL and not any URLs requested before that.

Avoid Appending Query Parameters to the Redirect URI

Currently, Indeed supports using query string parameters in the redirect URI.

https://secure.indeed.com/oauth/v2/authorize?client_id=80f9f4bd6a34cac31daebe1a093a606ce6b34e91ae6cfa139432ae387269a529&response_type=code&state=random&scope=email+offline_access+employer_access&redirect_uri=https%3A%2F%2Fsomesite.com%3Freturn%3Dhttps%3A%2F%2Fsomeothersite.com

The authorize link above includes a redirect_uri parameter with the value https://somesite.com?return=https://someothersite.com. Notice that the redirect_uri parameter includes a query parameter named return that contains another redirect URL.

While Indeed currently supports query string parameters in the redirect_uri parameter, we may discontinue support for query parameters in the future. So, we encourage you to use the state parameter as an alternative to using query parameters in the redirect_uri parameter.