0

When I perform a get_authorize_url request to facebook, I am redirected to the following URL (seen in the browser):

http://127.0.0.1:5000/#access_token=sdfsdfasfaf&expires_in=5849

But I am unable to obtain this access_token in flask: it is not in request.args, it is not in request.query_string, it is not even there in request.url. Maybe flask is having trouble with the # character? How can I access that query parameter?

This is the relevant part of my code (derived from the rauth facebook-cli example):

# rauth OAuth 2.0 service wrapper
graph_url = 'https://graph.facebook.com/'
facebook = OAuth2Service(name='facebook',
                         authorize_url='https://www.facebook.com/dialog/oauth',
                         access_token_url=graph_url + 'oauth/access_token',
                         client_id=app.config['FB_CLIENT_ID'],
                         client_secret=app.config['FB_CLIENT_SECRET'],
                         base_url=graph_url)

...

@app.route('/facebook/login')
def login():
    redirect_uri = url_for('authorized', _external=True)
    params = {'scope': 'read_stream',
              'response_type': 'token',
              'redirect_uri': redirect_uri}
    return redirect(facebook.get_authorize_url(**params))

@app.route('/facebook/authorized')
def authorized():
    # I am not able to find the access_token
    print dir(request)
    print request.args
    print request.query_string
    print request.url

    ...
maxcountryman
  • 1,562
  • 1
  • 24
  • 51
blueFast
  • 41,341
  • 63
  • 198
  • 344
  • I would strongly recommend using `response_type` `code` instead of `token` as the former flow tends to work better for web applications where the latter flow was used in the command line example script. (Please note, the cli example is not intended to be used as a model for web apps!) – maxcountryman Apr 19 '13 at 14:30

2 Answers2

1

If you follow the Facebook Flask example and use the code response, there's no need for any JavaScript. In fact in general that is not a requirement for OAuth consumers.

maxcountryman
  • 1,562
  • 1
  • 24
  • 51
  • Right. But the facebook example is performing authorization requests all the time. I want to somehow "save" the access_token for future use, so that the user does not need to authorize my application each time that I want to send a request to the facebook API. – blueFast Apr 19 '13 at 13:59
  • You can do this by accessing the token on the session instance like so: `session.access_token`. Then persist this data somewhere safe. – maxcountryman Apr 19 '13 at 14:19
0

The part of URI marked by '#' is called fragment identifier. It is not transmitted to the server and can be processed on client side only, by JS, for example.

Michael Gendin
  • 3,285
  • 2
  • 18
  • 23