Support multiple redirect urls per oauth app
There are multiple instances of our application in production and we use oauth to connect to box. With only one redirect URI per app, it becomes difficult to maintain.
Also, with the recent announcement "[ACTION REQUIRED] Box application redirect URL changes that affect your app" of having mandatory redirect_uri this is even more limiting.
Is there any way to contact support and add multiple redirect urls for an oauth app?
Are there any approaches to solve this problem?
The ability to add multiple redirects to an OAuth 2 application is being reviewed for potential inclusion into the application creation process, but at the current time there isn't a timeline on when / if that will be added.
With that said, here are the two main options that I would suggest:
- Using the state parameter: When you redirect a user as part of the login flow, there is a state parameter that may be set to pass information through the login / authorization flow (listed in the query params here). If you want to use a single application what you could potentially do is have all of your application types (dev / QA / prod) all use the same redirect URI but pass a state parameter through to indicate which environment should be used. You can then route to the proper application logic at that point. This is assuming that your environments are set up in a way to support this.
- Using separate applications: The other option would be to separate out each environment into its own OAuth 2 application. Personally this is the way I would go as it maintains a good separation of concerns, and ensures that your keys / client ID / client secret for your production application is the most secure as they're not embedded within dev / QA apps as well.
I know it's not ideal at the current time, but we'll continue working on improving the process to make the app management process easier.