Auth isn't passing through the `redirect_uri` or `response_type` to the success callback

[mattkinnersley]

Within the AuthHandler, the success callback provides three things:

• an object that holds the session function for creating a new token and redirecting back with the token in the hash,
• The input that holds the provider, the tokenset and the oauth client
• the raw request

The session function is doing too many things for my usecase. In a Next.js application, I have an API route that acts as my final callback to the front end. This API route is server side and does not expose the hash on the Request object. The flow is like this:

SST Auth lambda redirects to www.frontend.com/callback#access_token=abcd1234 ----> Next API Route picks up the request and loses the access_token because the hash is never sent to the server. I believe that is just part of the HTML spec.

If we can also expose the redirect_uri and response_type here, I can do the redirect in my app without using the session function. I'd be able to append the access_token as a query parameter which does persist between across to the server.

The alternative to this is changing how the session function works and instead of appending the access token and state to the hash, we append it as a query parameter.

I have got a PR open (#436) to resolve this

[mattkinnersley]

The proper way to do this, as Dax pointed out, is to use response_type=code which gives back a code which can be swapped for a token using the /token endpoint on your auth domain. Closing as this solves my issue.