Title: WP OAuth2 modifies state variable during authentication
Last modified: November 29, 2023

---

# WP OAuth2 modifies state variable during authentication

 *  [danwilliamsbooks](https://wordpress.org/support/users/danwilliamsbooks/)
 * (@danwilliamsbooks)
 * [2 years, 6 months ago](https://wordpress.org/support/topic/wp-oauth2-modifies-state-variable-during-authentication/)
 * When authenticating vs WP OAuth2 server using ‘authorization code’ flow, the 
   base64 encoded state parameter is incorrectly modified by WP OAuth2 server. The
   redirect from my client code looks something like this:
 * [https://www.mysite.com/oauth/authorize?response_type=code&client_id=xxxxxxxxxxxxxxxxxxxx&state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343](https://www.mysite.com/oauth/authorize?response_type=code&client_id=xxxxxxxxxxxxxxxxxxxx&state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343)**%
   3D**&redirect_uri=http://localhost:8080/login/oauth2/code/myclientname
 * When WP Oauth2 server provides the code for the next step in the flow, my client
   code does a GET to its own login endpoint:
 * GET [http://localhost:8080]/login/oauth2/code/myclientname?code=code_provided_by_WP_OAuth2_server&
   state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343&iframe=break
 * The **%3D** has been stripped.
 * %3D is base64 encoded ‘=’ which the state parameter value is padded with if it
   does not reach a certain length. Some client libraries will accept the padding
   character’s removal and others will not. Mine doesn’t. I worked around it by 
   generating a hex encoded state parameter parameter value instead and that works.
 * But WP OAuth2 server should send back the state in its exact original form so
   that finding the saved request at the other end does not fail.

The topic ‘WP OAuth2 modifies state variable during authentication’ is closed to
new replies.

 * ![](https://ps.w.org/oauth2-provider/assets/icon-256x256.gif?rev=2603051)
 * [WP OAuth Server (OAuth Authentication)](https://wordpress.org/plugins/oauth2-provider/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/oauth2-provider/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/oauth2-provider/)
 * [Active Topics](https://wordpress.org/support/plugin/oauth2-provider/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/oauth2-provider/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/oauth2-provider/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [danwilliamsbooks](https://wordpress.org/support/users/danwilliamsbooks/)
 * Last activity: [2 years, 6 months ago](https://wordpress.org/support/topic/wp-oauth2-modifies-state-variable-during-authentication/)
 * Status: not resolved