Can I add additional query parameters to a redirect url?

For example to include some state after the user is redirected back after login

When using the StytchLoginComponent (stytch/next-js), if I add any additional query parameters I get this error:

{
  "status_code": 400,
  "request_id": "request-id-test-666ca568-41c2-4061-95c0-1070d3c4aa26",
  "error_type": "query_params_do_not_match",
  "error_message": "The redirect url in the request provided query parameters that did not match any redirect URLs set on the Stytch dashboard for this project. Please visit https://stytch.com/dashboard/redirect-urls to make any necessary updates. For more information on why this validation is necessary please visit https://stytch.com/docs/api/url-validation",
  "error_url": "https://stytch.com/docs/api/errors/400#query_params_do_not_match"
}

Ah, I see it now in the docs

image1250×636 61.2 KB

The error is gone now, but the query parameters I passed in are not sent back to my authenticate endpoint

Hey Alan – thanks for posting!

Would you mind sharing the redirect URL value that you’re passing into the login component (with any sensitive values redacted), as well as the value that you allowlisted in the Stytch Dashboard? We’d definitely expect the parameters to be passed back to your application during the redirect!

Thanks for the response. Now that it’s not late at night, I can see there was an error on my side and the parameter wasn’t being passed in!

Awesome, glad to hear that! Late nights get us all! Let us know if there’s anything else we can help out with.

Now seeing a different issue:

This is the login URL, and I’m getting back a 403 now

https://test.stytch.com/v1/public/oauth/google/start?public_token=public-token-test-4dc83bfd-da9e-4a96-b219-e42407eef19d&login_redirect_url=http%3A%2F%2Flocalhost%3A3001%2Fauthenticate%3FloginChallenge%3XXXXX&signup_redirect_url=http%3A%2F%2Flocalhost%3A3001%2Fauthenticate%3FloginChallenge%XXXXX

loginChallenge is the query parameter I’ve added (it’s fairly large)

image1500×634 50.6 KB

Hey Alan – which URL are you on in the browser when you receive that 403? Is the 403 in response to a request to Stytch or a request to Google?

If you substitute your loginChallenge value for something short (like 12345, just for testing purposes) do you still receive the 403?

https://test.stytch.com/v1/public/oauth/google/start?public_token…

Yes, if it’s shorter it does work (I am removing the signupRedirectUrl parameters)

Hey Alan!

I am removing the signupRedirectUrl parameters

To clarify, does removing the signupRedirectUrl param prevent the 403, or shortening the loginChallenge param prevents the 403 error (and you’re also removing the signupRedirectUrl param)?

For context, sometimes requests with extremely long query parameters can run into 403 errors, usually because something within the parameter values looks suspicious, and the request is blocked at the server level.

Do you have an example full URL you’d be able to provide, or any context on the syntax of loginChallenge? If you’re able to either shorten the loginChallenge parameter or perhaps change the way it’s generated that would likely do the trick!

I removed signupRedirectUrl (set it to null). I didn’t shorten anything, I left loginRedirectUrl as is.

Hey Alan,

Got it - are you able to send over an example URL that’s hitting a 403, with the offending signupRedirectUrl parameter in particular?

In general, this parameter shouldn’t be causing 403 errors, and we haven’t been able to reproduce this with the signupRedirectUrl included in the earlier URL provided (https://test.stytch.com/v1/public/oauth/google/start?public_token=public-token-test-4dc83bfd-da9e-4a96-b219-e42407eef19d&login_redirect_url=http%3A%2F%2Flocalhost%3A3001%2Fauthenticate%3FloginChallenge%3XXXXX&signup_redirect_url=http%3A%2F%2Flocalhost%3A3001%2Fauthenticate%3FloginChallenge%XXXXX).

Thanks!