Redirect to multiple URLs

📘

Note:

By using this API and its documentation and building an integration, you agree to the Additional API Terms and Guidelines.

Dynamically redirect a user to multiple URLs

When you register an OAuth client app that uses the authorization code flow (3-legged OAuth), Indeed limits the number of redirect URLs to five, which conforms to the security best practices for OAuth apps.

1. To dynamically redirect a user to multiple URLs, add a state parameter to your authorize URL:

   HTTP

   https://secure.indeed.com/oauth/v2/authorize?client_id=6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&response_type=code&scope=email+offline_access+employer_access&state=AnyValue
   

   After the Indeed user completes the authorization code flow (3-legged OAuth), Indeed returns the state query parameter value in your redirect URL:

   HTTP

   GET http://www.acerecruitersllc.com/oauth/indeed?code=rXZSMNyYQHQ&state=AnyValue
   

2. To pass a URL with the state parameter, such as, https://somesite.com, URL-encode it:

   HTTP

   https://secure.indeed.com/oauth/v2/authorize?client_id=6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&response_type=code&scope=email+offline_access+employer_access&state=https%3A%2F%2Fsomesite.com
   

3. When Indeed redirects the user to your app, use the state parameter value to redirect them to another destination, such as https://somesite.com.

Guidelines

• Do not expose the authorization code
• Do not append query parameters to the redirect URI

Do not expose the authorization code

📘

Note:

If you redirect a user to an untrusted website, you inadvertedly reveal the OAuth authorization code in the HTTP Referer header, which contains the URL that requested a page.

The HTTP referer specification misspells referer.

You might unintentionally expose the authorization code to the website that the state parameter represents. That website likely logs the authorization code in its website logs.

• To prevent the authorization code from leaking, redirect the user to another trusted page in your app before you redirect them to the untrusted app. The HTTP Referer header only reveals the latest URL and not any URLs requested before that.

Do not append query parameters to the redirect URI

Currently, Indeed supports query parameters in the redirect URI.

https://secure.indeed.com/oauth/v2/authorize?client_id=80f9f4bd6a34cac31daebe1a093a606ce6b34e91ae6cfa139432ae387269a529&response_type=code&state=random&scope=email+offline_access+employer_access&redirect_uri=https%3A%2F%2Fsomesite.com%3Freturn%3Dhttps%3A%2F%2Fsomeothersite.com

The authorize URL includes a redirect_uri parameter with the https://somesite.com?return=https://someothersite.com value.

Notice that the redirect_uri parameter includes the return query parameter, which contains another redirect URL.

While Indeed currently supports query parameters in the redirect_uri parameter, Indeed might discontinue that support in the future. So, Indeed encourages you to use the state parameter rather than using query parameters in the redirect_uri parameter.

See also

• Authorization code flow (3-legged OAuth)