Closed mattkinnersley closed 1 month ago
The proper way to do this, as Dax pointed out, is to use response_type=code
which gives back a code which can be swapped for a token using the /token
endpoint on your auth domain. Closing as this solves my issue.
Within the
AuthHandler
, the success callback provides three things:The session function is doing too many things for my usecase. In a Next.js application, I have an API route that acts as my final callback to the front end. This API route is server side and does not expose the hash on the Request object. The flow is like this:
SST Auth lambda redirects to www.frontend.com/callback#access_token=abcd1234 ----> Next API Route picks up the request and loses the access_token because the hash is never sent to the server. I believe that is just part of the HTML spec.
If we can also expose the
redirect_uri
andresponse_type
here, I can do the redirect in my app without using the session function. I'd be able to append the access_token as a query parameter which does persist between across to the server.The alternative to this is changing how the session function works and instead of appending the access token and state to the hash, we append it as a query parameter.
I have got a PR open (#436) to resolve this