handle_callback: Handle OAuth 2.0 callback: verify state, swap code for token, verify token

Description

Handle OAuth 2.0 callback: verify state, swap code for token, verify token

Usage

handle_callback(
  oauth_client,
  code,
  payload,
  browser_token,
  decrypted_payload = NULL,
  state_store_values = NULL,
  shiny_session = NULL
)

Value

An OAuthToken` object containing the access token, refresh token, expiration time, user information (if requested), and ID token (if applicable). If any step of the process fails (e.g., state verification, token exchange, token validation), an error is thrown indicating the failure reason.

Arguments

oauth_client: An OAuthClient object representing the OAuth client configuration.
code: The authorization code received from the OAuth provider during the callback.
payload: The encrypted state payload received from the OAuth provider during the callback (this should be the same value that was generated and sent in prepare_call()).
browser_token: Browser token present in the user's session (this is managed by oauth_module_server() and should match the one used in prepare_call()).
decrypted_payload: Optional pre-decrypted and validated payload list (as returned by state_decrypt_gcm() followed by internal validation). Supplying this allows callers to validate and bind the state on the main thread before dispatching to a background worker for async flows.
state_store_values: Optional pre-fetched state store entry (a list with browser_token, pkce_code_verifier, and nonce). When supplied, the function will skip reading/removing from oauth_client@state_store and use the provided values instead. This supports async flows that prefetch and remove the single-use state entry on the main thread to avoid cross-process cache visibility issues.
shiny_session: Optional pre-captured Shiny session context (from capture_shiny_session_context()) to include in audit events. Used when calling from async workers that lack access to the reactive domain.

Examples

Run this code

# Please note: `prepare_call()` & `handle_callback()` are typically
# not called by users of this package directly, but are called 
# internally by `oauth_module_server()`. These functions are exported
# nonetheless for advanced use cases. Most users will not need to
# call these functions directly

# Below code shows generic usage of `prepare_call()` and `handle_callback()`
# (code is not run because it would require user interaction)
if (FALSE) {
# Define client
client <- oauth_client(
  provider = oauth_provider_github(),
  client_id = Sys.getenv("GITHUB_OAUTH_CLIENT_ID"),
  client_secret = Sys.getenv("GITHUB_OAUTH_CLIENT_SECRET"),
  redirect_uri = "http://127.0.0.1:8100"
)

# Get authorization URL and and store state in client's state store
# `` is a token that identifies the browser session
#  and would typically be stored in a browser cookie
#  (`oauth_module_server()` handles this typically)
authorization_url <- prepare_call(client, "")

# Redirect user to authorization URL; retrieve code & payload from query;
# read also `` from browser cookie
# (`oauth_module_server()` handles this typically)
code <- "..."
payload <- "..."
browser_token <- "..."

# Handle callback, exchanging code for token and validating state
# (`oauth_module_server()` handles this typically)
token <- handle_callback(client, code, payload, browser_token)
}

Run the code above in your browser using DataLab