How to Redirect to Multiple URLs
When you register an OAuth client app that uses the Authorization Code (3-legged OAuth) flow, you are limited to registering a maximum of five Redirect URLs. Indeed limits the number of redirect URLs to follow current security best-practices for OAuth apps.
But what if you need to redirect a user to more than five URLs? What if you need to redirect a user to dozens, hundreds, or even thousands of different destinations? If you need to dynamically redirect a user to multiple URLs, then you should take advantage of the OAuth
You can add a
state parameter to your authorize link, like this:
After the Indeed user completes the Authorization Code (3-legged OAuth) flow, we return the value of the state parameter in your redirect URL:
The state parameter can contain any value including a URL. If you want to pass a URL with the state parameter, such as,
https://somesite.com then ensure that you URL encode it, like this:
When the Indeed user is redirected back to your app, you can use the value of the
state parameter to redirect the user to another destination such as
Don't Expose the Authorization Code in the Referer Header
If you redirect a user to an untrusted website, then you reveal the OAuth authorization code in the HTTP referer header. The HTTP referer header passes the previous URL that requested a page.
Note: The word “referer” is misspelled in the HTTP referer specification.
The danger with using the
state parameter is there is a risk that you will unintentionally expose the authorization code to the website represented by the
state parameter. That website likely logs the authorization code in its website logs.
To prevent the authorization code from leaking, we recommend that you perform a redirect to yet another page. You can redirect the user to another trusted page in your app before redirecting them to the untrusted app. The HTTP referer header only reveals the previous URL and not any URLs requested before that.
Avoid Appending Query Parameters to the Redirect URI
Currently, Indeed supports using query string parameters in the redirect URI.
The authorize link above includes a
redirect_uri parameter with the value
https://somesite.com?return=https://someothersite.com. Notice that the
redirect_uri parameter includes a query parameter named
return that contains another redirect URL.
While Indeed currently supports query string parameters in the
redirect_uri parameter, we may discontinue support for query parameters in the future. So, we encourage you to use the
state parameter as an alternative to using query parameters in the