Confirming User IdentityΒΆ

After your service has authenticated and received a response from the Login dialog, perform a check to ensure the logged in user is the same user who originally began the login process.


The OAuth flow involves browser redirection to URLs containing parameters capable of being altered for potentially malicious purposes.

In order to ensure your app doesn't use incorrect fragments or parameters, your app should confirm the identity of the user before generating an access token for them. Confirming identity can be accomplished in different ways based on the response_type received:

code:Exchange code for an access token using an endpoint that can make this confirmation
token:Make an API call to an inspection endpoint that will indicate who the token was generated for and by which app

User Contributed

LaunchKey links to user contributed code as a resource to its community. LaunchKey does not in any way guarantee or warrant the quality and security of these code bases. User contributed code is supported by the creators. If you do find a link from the site to user contributed code that is malicious or inappropriate in any way, please report that link to LaunchKey immediately and we will investigate the claim. Submit any issue to LaunchKey support at ×