4

I am writing a express application, and I have to authenticate the user using oauth 2.0 flow. I have successfully redirected the user to the oauth provider and the provider send the access token in the oauth callback. Something like

http://localhost:4000/oauth/callback#access_token=<token>

Now I have a express route handler like

app.get('/oauth/callback', function(req, res, next) {
});

I know that hash fragment is not passed to server, but this is a oauth callback.

How can I get the url hash fragment in the route handler ?

Syed
  • 1,461
  • 3
  • 19
  • 37
  • 2
    "I know that hash fragment is not passed to server" - stop right there. If anyone is sending the fragment through HTTP, callback or not, they are violating protocol, and libraries should not be accommodating that. Use a normal GET parameter: `http://localhost:4000/oauth/callback?access_token=`. – Amadan Nov 12 '15 at 08:24
  • 1
    @Amadan this is the bug in [contentful](https://www.contentful.com/developers/docs/references/authentication) and I don't understand why it is like this. This is amateur. – Syed Nov 12 '15 at 10:46
  • 1
    The URL contains `access_token` parameter. It implies you have used Implicit Flow. In Implicit Flow, parameters must be embedded in the fragment part. It is NOT a bug of the OAuth server. – Takahiko Kawasaki Nov 12 '15 at 23:25

2 Answers2

5

The URL contains access_token parameter. It implies you have used Implicit Flow. In Implicit Flow, parameters must be embedded in the fragment part. The behavior is NOT a bug of the OAuth server.

If you want to receive parameters via the query part, you have to use Authorization Code Flow.

In addition, if the OAuth server supports OAuth 2.0 Form Post Response Mode, your redirect endpoint can receive data as a POST request by adding response_mode=form_post to your authorization request. The specification is similar to the idea described by trodrigues.

The table below shows relationship between "response_type/response_mode" and "HTTP status/data position".

enter image description here

See "Response Format" in Authlete's Definitive Guide for details about the response format of authorization endpoint.

Community
  • 1
  • 1
Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
  • I'm a co-founder of Authlete, Inc. Sorry for links to our web site, but it is difficult to find this kind of information in this level at other places. – Takahiko Kawasaki Nov 12 '15 at 23:23
  • Yep, Google have it documented in the [same way](https://developers.google.com/identity/protocols/OAuth2UserAgent), thanks for the heads up! – simo Nov 13 '15 at 08:44
  • @TakahikoKawasaki Thanks for the detailed explanation. This does answers my question. I was not saying it is a bug in ouath 2 provider. The question was to know "whether it is possible to parse the hash fragment at server side in oauth callback". The table answers my question, clearly this type of details are not easily available on google search. – Syed Nov 14 '15 at 17:29
  • @trodrigues answer below is what I was looking for. The ouath 2 provider in question was Contentful and Contentful only support implicit grant type as of now. – Syed Nov 14 '15 at 17:30
1

I work for Contentful.

Unfortunately at the moment this is the way our OAuth callback works, and we don't send back a query string parameter. I've mentioned and discussed this and we'll fix this at some point but we have no exact time frame for now.

The best thing you can do at the moment is to serve a plain HTML page from your express app that has some javascript that will extract the token from window.location.hash and then make a request to your /oauth/callback?access_token=token endpoint.

trodrigues
  • 1,428
  • 1
  • 9
  • 7
  • 1
    I'm just wondering what's the benefit of using a hash instead of querystring? I've never seen that before. – simo Nov 12 '15 at 11:47
  • 2
    There's not exactly a benefit, but it's the flow usually used for client side browser applications, which was the most expected use case when this was initially implemented. As I said, it is an oversight that we haven't implemented other flows but this will be fixed. – trodrigues Nov 13 '15 at 08:23