3

I recently started fiddling with OneDrive API which uses OAuth 2.0 authentication / authorization flow.

OneDrive API OAuth 2.0

I am trying to follow along the Token Flow to get access token using an ASP.NET MVC Application.

The request I make is something similar to the following:

GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}&response_type=token&redirect_uri={redirect_uri}

On successful authorization from the user the web browser will be redirected to your redirect URL with additional parameters added to the URL.

The redirect URL is similar to the following: https://login.live.com/oauth20_authorize.srf#access_token={access_token}&authentication_token={authentication_token}&token_type=bearer&expires_in=3600&scope=onedrive.info%20onedrive.full&user_id={user_id}

Notice the # in the above format URL. This is as per specification of OAuth 2.0 protocol standards.

Question: If I have a redirect URL to handle in my MVC application which has query parameters section starting with ? then it can be handled very easily using a controller's action with proper input parameters mapping the query string key / values.

How can I handle a URL in my MVC application that has query string section starting with # and get all query string key / values from it?

Side note: I would request not to suggest using any third party API / Libraries / Routines in this case. Considering the fact that I wish to do the OAuth process plain and simple way. Thanks

Jsinh
  • 2,539
  • 1
  • 19
  • 35

1 Answers1

3

The method you have chosen which is the Token Flow also known as the Implicit Grant Flow intentionally uses a # (fragment). This is for security purposes to avoid man in the middle attacks. The answer in this link provides some description on the topic OAuth2.0 Implicit Grant flow. Why use url hash fragments?

However if you still want to use the Token Flow, you can read the values on the client side in JavaScript using window.location.hash and then process those values with probably an Ajax submit to the server.

I would suggest you use the Code Flow which is meant for the scenario you have explained in your question. The Code Flow is available on the same link https://github.com/OneDrive/onedrive-api-docs/blob/master/auth/msa_oauth.md#code-flow

Incidentally, the above link has a # (fragment) in it too :)

Community
  • 1
  • 1
Praveen Paulose
  • 5,741
  • 1
  • 15
  • 19
  • This makes perfect sense to me now. I was suspecting that but I am sure of it now. Plus I get to know about the better known keyword for Token flow as "Implicit Grant Flow" which helps me reading more information in that direction and for what purposes it is used. Thanks @Praveen for refs. Adding one more to complete it : http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2 – Jsinh Mar 04 '15 at 20:16