I am writing a express application, and I have to authenticate the user using oauth 2.0 flow. I have successfully redirected the user to the oauth provider and the provider send the access token in the oauth callback. Something like

http://localhost:4000/oauth/callback#access_token=<token>

Now I have a express route handler like

app.get('/oauth/callback', function(req, res, next) {
});

I know that hash fragment is not passed to server, but this is a oauth callback.

How can I get the url hash fragment in the route handler ?

I am writing a express application, and I have to authenticate the user using oauth 2.0 flow. I have successfully redirected the user to the oauth provider and the provider send the access token in the oauth callback. Something like

http://localhost:4000/oauth/callback#access_token=<token>

Now I have a express route handler like

app.get('/oauth/callback', function(req, res, next) {
});

I know that hash fragment is not passed to server, but this is a oauth callback.

How can I get the url hash fragment in the route handler ?

• javascript
• node.js
• express
• oauth
• contentful

Share Improve this question Follow asked Nov 12, 2015 at 8:20 SyedSyed 1,45233 gold badges2121 silver badges3838 bronze badges 3

• 2 "I know that hash fragment is not passed to server" - stop right there. If anyone is sending the fragment through HTTP, callback or not, they are violating protocol, and libraries should not be acmodating that. Use a normal GET parameter: http://localhost:4000/oauth/callback?access_token=<token>. – Amadan Commented Nov 12, 2015 at 8:24
• 1 @Amadan this is the bug in contentful and I don't understand why it is like this. This is amateur. – Syed Commented Nov 12, 2015 at 10:46
• 1 The URL contains access_token parameter. It implies you have used Implicit Flow. In Implicit Flow, parameters must be embedded in the fragment part. It is NOT a bug of the OAuth server. – Takahiko Kawasaki Commented Nov 12, 2015 at 23:25

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

The URL contains access_token parameter. It implies you have used Implicit Flow. In Implicit Flow, parameters must be embedded in the fragment part. The behavior is NOT a bug of the OAuth server.

If you want to receive parameters via the query part, you have to use Authorization Code Flow.

In addition, if the OAuth server supports OAuth 2.0 Form Post Response Mode, your redirect endpoint can receive data as a POST request by adding response_mode=form_post to your authorization request. The specification is similar to the idea described by trodrigues.

The table below shows relationship between "response_type/response_mode" and "HTTP status/data position".

See "Response Format" in Authlete's Definitive Guide for details about the response format of authorization endpoint.

I work for Contentful.

Unfortunately at the moment this is the way our OAuth callback works, and we don't send back a query string parameter. I've mentioned and discussed this and we'll fix this at some point but we have no exact time frame for now.

The best thing you can do at the moment is to serve a plain HTML page from your express app that has some javascript that will extract the token from window.location.hash and then make a request to your /oauth/callback?access_token=token endpoint.