RedirectRequestHandler.completeAuthorizationRequest() assumes that queryParams are returned in the hashed portion of the URL - Githubissues

openid / AppAuth-JS

JavaScript client SDK for communicating with OAuth 2.0 and OpenID Connect providers.

Apache License 2.0

975 stars 162 forks source link

RedirectRequestHandler.completeAuthorizationRequest() assumes that queryParams are returned in the hashed portion of the URL #203

Closed sandyboon closed 2 years ago

sandyboon commented 2 years ago

Expected Behavior

One should be able to specify whether the query parms 'state' and 'code' are in the hash portion of the URL or in the query string.

Right now, while parsing the query params _this.utils.parse(_this.locationLike, true / use hash /); hard codes the value 'useHash' to true, This should either be an argument to the function completeAuthorizationRequest or to the constructor of the RedirectRequestHandler object.

One should be able to specify whether the query parms 'state' and 'code' are in the hash portion of the URL or in the query string.

While constructing the AuthorizationRequest object, set the response_mode value to 'query'.

const request = new AuthorizationRequest({ client_id: fcAuthConfig.clientId, redirect_uri: ${window.location.origin}${window.location.pathname}, usePkce : true, scope:'openid', response_type: AuthorizationRequest.RESPONSE_TYPE_CODE, extras: {'response_mode': 'query' } }); Perform the authorization request - authorizationHandler.performAuthorizationRequest(authConfig, request); and then await authorizationHandler.completeAuthorizationRequestIfPossible(); after signing in and redirection.

[REQUIRED] Environment

AppAuth-JS version: 1.3.1
AppAuth-JS Environment (Node, Browser (UserAgent), ...): Chrome
Source code snippts (inline or JSBin)

tikurahul commented 2 years ago

You can extend RedirectRequestHandler and ignore useHash.

thardyman commented 1 year ago

e.g. https://github.com/openid/AppAuth-JS/issues/195#issuecomment-953363001