1

I been working with OAuth2 to provide authentication techniques on my asp.net 4.0 website using c# in the code behind. I have noticed recently that Windows Live api is no longer working in the code I had made. It is making the call and getting the access token back from Live, but then I am stuck. It is adding a # to the beginning of the query string it is sending back so I have the following type of url send back to me by live

...mypage.aspx?#access_token=43t78fehef83jfvwenj3...

Previously before the # was added I merely took the query string returned and parsed out the access token with the following command.

accessToken = Request.QueryString["access_token"];

With the addition of the hash though I can no longer obtain that querystring as the hash fools the page into thinking it is an anchor. When I checked my debugging local variables I will always end up with an empty querystring and haven't figured out how to get it to give me the actual string so I can parse it for the access token.

Any ideas on how I would get the querystring?

Thanks

David Taylor
  • 111
  • 1
  • 1
  • 8

1 Answers1

0

The URL hash fragment (part after the #) is not sent from the user-agent browser to the web server. So, you'll need some client-side (likely JavaScript) code to parse it out and send it on to your server.

Here's some simple code which parses the hash fragment params and puts them into a JavaScript array:

// parse the query string
// from http://oauthssodemo.appspot.com/step/2
var params = {}, queryString = location.hash.substring(1),
    regex = /([^&=]+)=([^&]*)/g, m;
while (m = regex.exec(queryString)) {
  oauthParams[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);
}

You can then use AJAX or other techniques to pass these values back to your web server, where you can parse them out if you need the access token server-side.

Of course, if all your code is server-side, you can also use the Authorization Code flow available in Windows Live:

http://msdn.microsoft.com/en-us/library/live/hh243647.aspx#authcodegrant

This allows you to get an authorization code in the main query string (?code=foo) and then do a server-to-server call from your server to Microsoft's to exchange that code for an access_token.

Ryan Boyd
  • 2,978
  • 1
  • 21
  • 19