Application GET handling url conflict


I have this php app that I use to check the authentication of my users.

I have the authentication working, but when my get is only specifying “/duo-callback”, it’s not accounting for the state variable and duo_code that’s appended afterward with "?state=&duo-code=<duo_code>.

$app->get('duo-callback', function (Request $request, Response $response, $args) use ($duo_client, $logger) {
    $queryParams = $request->getQueryParams();
    $renderer = new PhpRenderer('./templates');

    if (isset($queryParams["error"])) {
        $error_msg = $queryParams["error"] . ":" . $queryParams["error_description"];
        $response->getBody()->write("Got Error: " . $error_msg);
        return $response;

    # Get authorization token to trade for 2FA
    $code = $queryParams["duo_code"];

    # Get state to verify consistency and orginality
    $state = $queryParams["state"];

    # Tetrieve the previously stored state and username from the session
    $session = new \SlimSession\Helper();
    $saved_state = $session->get("state");
    $username = $session->get("username");

    if (empty($saved_state) || empty($username)) {
        $args["message"] = "No saved state, please login again";
        return $renderer->render($response, "login.php", $args);

    if ($state != $saved_state) {
        $args["message"] = "Duo state does not match saved state";
        return $renderer->render($response, "login.php", $args);

    try {
        $decoded_token = $duo_client->exchangeAuthorizationCodeFor2FAResult($code, $username);
    } catch (DuoException $e) {
        $args["message"] = "Error decoding Duo result. Confirm device clock is correct.";
        return render_login_page($response, $renderer, $args);

    # Exchange happened successfully so render success page
    $args["message"] = json_encode($decoded_token, JSON_PRETTY_PRINT);
    return $renderer->render($response, "complete.php", $args);

The issue I’m getting is that after I authenticate and get to this point, the get appends the tokens I mentioned above.

Is there a step I’m missing so I can render my complete page? Any help would be appreciated.

  • T

I’m unclear what your problem is.

When you navigate to /duo-callback?state=123@duo_code=456 are you saying that $queryParams is empty?