Reputation: 3503
OAuth2 with Hash query string, Imgur API
I'm updating my desktop app, an Imgur client, for the upcoming deprecation of code/pin auth methods, by using a local web server to catch the redirect_url from the browser after the user authorizes access to the app. So I launch the URL in the browser, the user accepts, then Imgur redirects to
http://localhost:7710/myapp?state=auth#access_token=....&expires_in= etc
but the browser cuts the URL at # so all the variables are missing, and my app only receives "state=auth"
from Imgur's API docs:
The response_type Parameter token: This authorization flow will directly return the access_token and refresh_token via the redirect URL you specified during registration, in the form of hash query string parameters. Example: http://example.com#access_token=ACCESS_TOKEN&token_type=Bearer&expires_in=3600
The code and pin response types have been deprecated and will soon no longer be supported.
Imgur returns an access token to your application if the user grants your application the permissions it requested. The access token is returned to your application in the fragment as part of the access_token parameter. Since a fragment (the part of the URL after the #) is not sent to the server, client side javascript must parse the fragment and extract the value of the access_token parameter.
Clearly they haven't thought this through for desktop applications, or am I missing something?
Upvotes: 0
Views: 661
Answers (1)
Reputation: 29218
Imgur stuff looks non standard, since response_type=token is a basic version of the implicit flow, which used to be the solution for single page pps.
These days all UI based flows should use Authorization Code Flow (PKCE) and response_type=code.
Since your app is acting as a (loopback) web server it will not receive the hash fragment parameters, which are only available to JavaScript code running in a browser.
One option that would enable you to get the full URL would be to login via the system browser and to use a Private URI Scheme to call back to the app.
The above link is a visual blog post to explain how this works, in case it is of interest.
Upvotes: 1
Related Questions
- Having trouble with Oauth2 and Postman
- Imgur API Authorization issues
- Is there a way to keep the hash in a url when using Auth0 and Google?
- Postman "Could not complete OAuth 2.0 login" when using Imgur API
- Adding a query parameter to the Instagram auth redirect_uri doesn't work?
- Authentication With Imgur API
- Google Oauth-2.0 returns url with hash instead of question mark
- What is the idea behind hashing the QueryString in OAuth?
- Python authorize imgur OAuth2.0 authentication to fetch subreddit gallery
- Why does my oAuth signature need "%26" at the end?