Redirect after authorization appends hash rather than param

songkick / oauth2-provider

Simple OAuth 2.0 provider toolkit

MIT License

526 stars 146 forks source link

Redirect after authorization appends hash rather than param #36

Closed andrewpbrett closed 12 years ago

andrewpbrett commented 12 years ago

Not sure if this is deliberate. I get redirected to http://example.com#access_token=foo - it seems like it would be friendlier to redirect to http://example.com?access_token=foo and have it come in as a param.

If it's not deliberate, it's just a change to one character on line 99 of provider/authorization.rb.

jcoglan commented 12 years ago

Are you using response_type=token? If so, that's part of the spec -- the token MUST be delivered to the client app in the URL fragment, without being sent back to its server.

jcoglan commented 12 years ago

Closing since there's no bug to address here, unless I'm missing something?