Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace # with ? in authentication response #337

Closed
janekolszak opened this issue Dec 28, 2016 · 6 comments
Closed

Replace # with ? in authentication response #337

janekolszak opened this issue Dec 28, 2016 · 6 comments

Comments

@janekolszak
Copy link

Hi!
Standard says an authentication response should return something like this:

https://client.example.org/cb?
    code=SplxlOBeZQQYbYS6WxSbIA
    &state=af0ifjsldkj

Hydra returns same thing but with # instead of ?. This breaks all query parsing in client libraries.
@janekolszak
Copy link
Author

This was found when using a custom protocol name, not http/https.

@aeneasr
Copy link
Member

aeneasr commented Dec 29, 2016
edited
Loading

Could you please include the original OAuth2 request? Hydra does support query param responses, but maybe you're using an implicit or hybrid flow?

@janekolszak
Copy link
Author

janekolszak commented Dec 29, 2016
edited
Loading

I'm using response_type=code id_token
From Hydra's logs:

request="/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=8f6057ae-158e-4755-8a12-20b535bf4202&nonce=b61f68bd-1cb7-448d-ae7b-e0a735574b73&response_type=code%20id_token&client_id=wta-d&consent=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3dGEtZCIsImV4cCI6MTQ4Mjk2ODI0NywiaWF0IjoxNDgyOTY4MDA3LCJzY3AiOlsib3BlbmlkIiwiYWxsIl0sInN1YiI6ImIzMjhjNDcyLTRmMTktNDBmNy1hODM5LWRiMGY3ZTkwYmMyMyJ9.NT4hzhQ_kdA-6K_i-bInLiHClXNy7nE6S70Tjo0asx63tfZ610gvAPQId-bxp2bc0pknzzawG_Y99fKGrjDVj99MTlaO_sTRdLrVMbxnD10LDI7Lw13ASr8nb4pVubWVyN0SIfPkvk5gHfS0nuJJWVU2o-jvpgv3T9HrJxVeSwZd3kKAyerGm6pB6i970xVV6lZx4xC73X2YLLdBgMS5j2nz694CxRgczCSW6yLCSCUKRgxQfxYfJ2GCLE_O4A417414j2uQqIxFzDZRdTQvaPU4lAFgYmE0LfsipLFzNKlPA5B4-j05gKwKAA0VW465XjDIltGGfkgY5u1uf4o1Ak-4ovcCvPmDv9r01caMzgpQj9nY-a7e3hjbgDCxPap7Yjo7moot6VlccbYtS1NE1bFQIGHD0BPjjW1RPPmHqrhlRTKrlzOvMh1qjuZcESJ5xlsECS7EOVrL--vLMQ-NXAfCEY-BRkAZkwPIyxtGe0k1ec_qij7DfCYY3ZbBUDZxU32rt98Gjx-UTLlozeWm2Z7OfTffKxx005DXJRWyEH7gL6cIH3XXMjMBkUub0K4Kc-Qr5S9L95gtoroIkfPzB4eCEWBh6ievbDoF38xuzkK4eyt9rIQIGA33pnA4uzslqncoahJtnIUG1Af1YrZNtcMt6qSYlMLfLVMHSSwdgHU"

@aeneasr
Copy link
Member

aeneasr commented Dec 29, 2016

You included &response_type=code%20id_token which implies an hybrid flow which is per spec implicit, meaning that you assume an app running on the client side only which requires a hashbang instead of a query parameter. In order to perform the request you want, you need to remove the id_token from the response_type. The openid scope is enough to return an ID token :)

@janekolszak
Copy link
Author

yeap, thank you.

@aeneasr
Copy link
Member

aeneasr commented Dec 29, 2016

welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janekolszak @aeneasr