Auth0 - Callback URL never called

Question

I'm integrating Auth0 to an existing client project, and I am having some trouble with the callback url after login from Auth0.

The issue is that when the callback URL is called, the id_token and the access_token are available only in the hash fragment and not on the query string. To have it available for the server, I would need it in the query string.

My responseType is of type 'code':

this.auth0 = new Auth0({
  clientID: clientId,
  domain: domain,
  responseType: 'code',
  callbackURL: 'http://mydevserver:3000/callback'
});

So the question is, how can I have id_token and access_token in the query strings?

https://auth0.com/docs/tutorials/local-testing-and-development#auth0-and-localhost

Answer 1

Without the actual code you're using we'll have to do a bit of guessing, but the id_token and access_token are returned on the hash fragment when you're using a response type of token. This is aimed for browser-based applications that as a consequence have access to the URL fragment.

If your application is a traditional server-side web application you should be using the code response type so that an authorization code is sent to your server-side as part of the query string. Then on the server-side you can issue a request to exchange this code for the actual tokens.

These two types of flows are defined within the OAuth 2.0 specification:

• Implicit grant with the token response type (aimed at browser-based applications)
• Authorization code grant with the code response type (aimed at confidential clients like server-side web applications)

As a reference, you can follow this documentation in order to accomplish what you mentioned: Integrating a Web App with Auth0