Announcement Announcement Module
Collapse
No announcement yet.
Problem on redirect_uri address Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem on redirect_uri address

    Hi

    I am having problem url redirect address after a successful authorization.
    The redirect address has # instead of ?

    Is this a bug in
    Code:
    AuthorizationEndpoint.appendAccessToken
    http://localhost:8080/oauth/authorize?response_type=token&client_id=900c3eab9c d06fea&scope=read&redirect_uri=http://localhost:8080/api/photos
    to

    http://localhost:8080/api/photos#access_token=688511b6-3e41-4220-9981-010f470471d9&token_type=bearer&expires_in=36480

    If I change # to ? then the url works fine.

  • #2
    It looks like you're getting what you asked for there - if you ask for response_type=token you get a fragment encoded token. Look up "Implicit Grant Type" in the spec.

    Comment


    • #3
      Are you saying I asked for http://localhost:8080/api/photos#access_token?

      Why it isn't ? in the uri?

      Comment


      • #4
        Originally posted by shahbazi View Post
        Why it isn't ? in the uri?
        Why should it be? Did you read the spec on implicit grants? Is that not what you need? Please try to explain a bit more what you expect to happen and why.

        Comment


        • #5
          I am not sure, but I am think there is bug in line 53
          of OAuth2AuthenticationProcessingFilter request.getParameter(OAuth2AccessToken.ACCESS_TOKE N)
          can not read the access token from request while it come as #access_token

          Yes, I am reading the spec I don't know why we are using #

          The problem is, when I use
          http://localhost:8080/api/photos#acc...pires_in=41802
          It always goes to the Authorization Server's access confirm page. As soon as I change it to ?access_token=... then works perfectly.

          I've similar problem to this guy: http://java.resourcezen.com/facebook...s-access-token
          Last edited by shahbazi; Mar 3rd, 2012, 06:59 PM.

          Comment


          • #6
            Originally posted by shahbazi View Post
            Yes, I am reading the spec I don't know why we are using #
            Because that's what it says in the spec http://tools.ietf.org/html/draft-iet...#section-4.2.2. A URI fragment (after the #) is not passed on to the server by a browser client - that's intentional, and it's a feature exploited by the spec to prevent access tokens from being exposed in server logs etc. If your client is not able to consume the fragment, then you need a new client, or a new grant type.

            Comment

            Working...
            X