sachal-malick6856 avatar image
sachal-malick6856 asked John Wang Deactivated commented

OAuth Authentication Code Flow: change variable name in authenticated response URL containing code from "code" to something else

I am building a RingCentral application on a server that for security purposes will not take any POST/GET variables other than a specified one. When I try to authenticate, the response url which contains the code as a query string variable with the variable name "code", causes my server to stop the script from running. I would like to change the variable name in the response url that contains the authorization code. Is this possible? Can it be done using response_type? RingCentral specifies on the API that response_type must be set to "code" so I'm not sure. Any advice would be highly appreciated.

1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

John Wang avatar image
John Wang Deactivated answered
The parameter named "code" is a required field in the OAuth 2.0 standard, IETF RFC 6749, so it is commonly used and accepted.

The behavior of your server sounds odd. Is this logic part of your own application code or a framework you are using? Do you know why it does this and whether the logic be changed?
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

sachal-malick6856 avatar image
sachal-malick6856 answered John Wang Deactivated commented
The logic is part of a framework I am using and it cannot be changed.  I imagine it is to protect the server from attacks hidden in GET/POST requests.
What are my options?
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

John Wang avatar image John Wang ♦♦ commented ·
What framework to you use? I'm curious if others will run into this same issue.

One option you can use is to redirect to a server on a different hostname and then retrieve the authorization code from the URL on the client-side. You can then exchange the authorization code for an access token on the browser side or possibly send then auth code to the server to do the exchange (so the access token isn't exposed on the browser).

For example, if you wanted to, you could set up a free Github pages website say, and redirect there to have the browser end up with, then use the browser client-side JS to extract the code and then use it either in the browser to get an access token or possibly transfer to your server to do the exchange.

You can see a demo of client-side processing in the "public/index.html" page client-side JS code here:
1 Like 1 ·
sachal-malick6856 avatar image sachal-malick6856 commented ·
Hi John,

Thanks for your reply.  That is the solution I ended up going with thought i was hoping to avoid it.
You can follow up with me at if you're curious about my app.
1 Like 1 ·
John Wang avatar image John Wang ♦♦ commented ·
Your site looks very interesting and I will certainly take you up on your offer.

Regarding hosting a separate service for the callback, some services will allow hosting the callback on their own domain so we can look into that as well.
0 Likes 0 ·

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys