search

Esri / arcgis-rest-js

compact, modular JavaScript wrappers for the ArcGIS REST API
https://developers.arcgis.com/arcgis-rest-js/
Apache License 2.0
353 stars 119 forks source link

fix(arcgis-rest-request): fix issue with OAuth2 flow when using hash routing #1071

Closed philnagel closed 1 year ago

philnagel commented 1 year ago

fixes Esri/arcgis-rest-js#1070

patrickarlt commented 1 year ago

@philnagel thanks for the fix and the reproduction however oAuth 2.0 redirect URIs cannot contain fragments (hashes). From the spec:

The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.

https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2

The last sentence is the deal breaker here:

The endpoint URI MUST NOT include a fragment component.

If you want to use PKCE in your app and still use hash-based routing in Vue you should have the page defined in the redirect URI not be handled by Vue at all. Hosting a static authenticate.html like in the oAuth 2.0 demo is enough to suffice but you can't have Vue handle 100% of this and use hash-based routing.