Reputation: 25770
Spring OAuth2 implicit flow redirect url
In my Spring Boot/OAuth2 application I'm trying to login user via my own OAuth2 server with implicit flow with a following url:
http://example.com/api/oauth/authorize?response_type=token&client_id=example_client_id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin
after login it redirects the user to the following url:
http://localhost:8080/login#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOTcsInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVh&token_type=bearer&expires_in=43199&scope=read%20write&user_id=297&jti=9d416117-0d08-4f4e-874d-3f31dbe7815f
Is it a correct behavior that the user was redirected to the url with # symbol instead of ?.. I mean:
http://localhost:8080/login?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOTcsInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVh&token_type=bearer&expires_in=43199&scope=read%20write&user_id=297&jti=9d416117-0d08-4f4e-874d-3f31dbe7815f
if no - how to set up my Spring application OAuth2 server in order to redirect user to a correct url ?
Upvotes: 2
Views: 1948
Answers (1)
Reputation: 18991
The behavior is correct. The authorization code flow requires that response parameters be embedded in the query part of a redirect URI (RFC 6749, 4.1.2. Authorization Response) while the implicit flow requires that response parameters be embedded in the fragment part (RFC 6749, 4.2.2. Access Token Response).
OAuth 2.0 Multiple Response Type Encoding Practices has defined a new request parameter, response_mode. The parameter specifies where response parameters should be embedded. In the specification, query, fragment and none are defined. In addition, OAuth 2.0 Form Post Response Mode has added form_post as a value of response_mode. If response_mode=form_post is included in an authorization request, response parameters are embedded as HTML form parameters.
You can find a table describing the relationship between response_type/response_mode combinations and HTTP status/response parameters' location in "2. Response Format" in Authlete's Definitive Guide.
Upvotes: 7
Related Questions
- Spring Boot + Oauth 2 Single Sign-On ridirect uri misbehaviour
- Spring OAuth redirect URL confusion
- How to implement spring oauth2 custom flow?
- Spring oauth2 dont redirect to original url
- Spring OAuth security - Implicit flow
- Spring Oauth2 redirect uri doesn't change
- Spring security oauth2 wrongly using internal URL as current URI for redirection
- Spring Boot and OAuth2: redirect url over reverse proxy
- Spring Boot and OAuth2 example: redirect not working
- Spring Oauth2 implicit flow