Handle a successful OpenID Connect authorization response in Safari <=9

Question

Since we're using OpenID Connect, we need the Aurelia router to handle the OpenID Connect authorization response, which looks like this:

https://client.example.org/signin-oidc#
    access_token=SlAV32hkKG
    &token_type=bearer
    &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
    &expires_in=3600
    &state=af0ifjsldkj

In order to do that, we've setup the router with push state like this.

// switch from hash (#) to slash (/) navigation
routerConfig.options.pushState = true;

This successfully works in most web browsers. The Aurelia router handles the /signin-oidc route and the client-side code can access the fragment. Good.

There is a problem in Safari <= 9.0 on Yosemite, however, because WebKit bug #24701 removes the fragment on redirects, and a successful OpenID Connect authorization response is a redirect (302 Found). Result: the browser only sends the following, which lacks the fragment. Not good.

https://client.example.org/signin-oidc

The workaround is to put a forward slash in front of the hash:

https://client.example.org/signin-oidc/#
    access_token=SlAV32hkKG
    &token_type=bearer
    &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
    &expires_in=3600
    &state=af0ifjsldkj

That solves the WebKit bug, and Safari <= 9 on Yosemite includes the fragment.

Solved? Nope.

The workaround breaks the Aurelia router, which can no longer understand the /# part of the URI. How can we setup the Aurelia router to handle a successful authorization response from the OpenID Connect authorization server?

Answer 1

Our official support policy is that we only support the latest version of evergreen browsers (IE isn't evergreen, so we support IE9+). If a fix can be created that doesn't hurt performance or break current browsers, we'll take a PR.