问题
I am writing a express application, and I have to authenticate the user using oauth 2.0 flow. I have successfully redirected the user to the oauth provider and the provider send the access token in the oauth callback. Something like
http://localhost:4000/oauth/callback#access_token=<token>
Now I have a express route handler like
app.get('/oauth/callback', function(req, res, next) {
});
I know that hash fragment is not passed to server, but this is a oauth callback.
How can I get the url hash fragment in the route handler ?
回答1:
I work for Contentful.
Unfortunately at the moment this is the way our OAuth callback works, and we don't send back a query string parameter. I've mentioned and discussed this and we'll fix this at some point but we have no exact time frame for now.
The best thing you can do at the moment is to serve a plain HTML page from your express app that has some javascript that will extract the token from window.location.hash and then make a request to your /oauth/callback?access_token=token endpoint.
回答2:
The URL contains access_token parameter. It implies you have used Implicit Flow. In Implicit Flow, parameters must be embedded in the fragment part. The behavior is NOT a bug of the OAuth server.
If you want to receive parameters via the query part, you have to use Authorization Code Flow.
In addition, if the OAuth server supports OAuth 2.0 Form Post Response Mode, your redirect endpoint can receive data as a POST request by adding response_mode=form_post to your authorization request. The specification is similar to the idea described by trodrigues.
The table below shows relationship between "response_type/response_mode" and "HTTP status/data position".
See "Response Format" in Authlete's Definitive Guide for details about the response format of authorization endpoint.
来源:https://stackoverflow.com/questions/33667003/parse-url-hash-fragment-in-express-application