[BUG OAUTH] - Missing state parameters in dev mode only since yesterday

GPT builders Plugins / Actions builders
,
1

Hey!

Since yesterday we have detected a bug during the plugin installation process, which occurs from nowhere and only in development mode.

When we complete the OAuth flow and we are redirected to ChatGPT, the callback URL contains the code, as usual, but ChatGPT shows an error and says we cannot log in.

This only appears with non-approved plugins (more info below):

Steps to reproduce:

  1. Create a plugin with OAuth.
  2. Go to Develop your plugin.
  3. Install the plugin

Note: if you install this plugin as an unverified plugin and you login, you should be able to reproduce as well : https://plugin.pluginlab.io/

Here’s the error we get:

SCR-20230712-rxim
SCR-20230712-rxim1084Ă—408 28.8 KB

And there is this message in the console:

{"message":"Missing `state` param in response from OAuth provider"}

Even though the callback URL contains the code.

Note : it seems this error only occurs for plugins that are not publicly available in the store. For the plugin that are available on the store there is no error, either by installing them from the store OR by installing them as unverified plugins.

@logankilpatrick any thought on this?

3 Likes
2

After some research, I figured that OpenAI sends a state parameter when it sends the scope and the redirect_uri.

However, that is not documented. Here’s what the doc says:

  • When a user logs into the plugin, ChatGPT will direct the user’s browser to "[client_url]?response_type=code&client_id=[client_id]&scope=[scope]&redirect_uri=https%3A%2F%2Fchat.openai.com%2Faip%2F[plugin_id]%2Foauth%2Fcallback"

So I’m now appending this state parameter to the redirect_uri just next to the code parameter.

This solves the issue.

The thing is, it seems this state parameter is not documented at all and moreover it was not something blocking before. So I guess many developers are facing this issue now.

@logankilpatrick could you confirm that is something we should do? Since it’s not documented, I don’t want to make a mistake.

3 Likes
3

Hey

That’s a problem we are also facing, I agree this needs clarification

1 Like
4

Hi @kevinpiac and @aurelle,
Thanks a lot for the report! I am facing the same problem.
To clarify the solution, what value did you add for state parameter?
{redirect_url}?code={OPENAI_OAUTH_TOKEN}&state=???

1 Like
5

Actually, when ChatGPT redirects to your platform for the first time, it sends you the “redirect_uri” next to some other query parameters such as: the scope, the state and the client_id.

Here’s how it looks:

https://<your_auth_platform_url>?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=&state=<STATE_VALUE>

So you have to keep track of that state and return it back when you return the code in the redirect_uri.
Such as:

{REDIRECT_URI}?code={OPENAI_OAUTH_TOKEN}&state={STATE_VALUE}

I hope it helps :slight_smile:

5 Likes
6

@kevinpiac Thanks a lot for your helpful support, you made my day!! It completely worked!

2 Likes
7

Glad it helped! Feel free to have a look at https://pluginlab.ai, since we can manage all these hassles for you next time :slight_smile:

1 Like