Chrome 80 handling HTTP 302 redirect and dropping query string

Question

I am trying to troubleshoot an SPA application which does authentication through Auth0 by first redirecting to their site for providing the credentials and then to a /callback path on their site with token included in the URL query string, and finally to a /callback path on my App's static file site. Just yesterday, I noted in DevTools, in the Network tab, that Chrome gets the 302 with the location header set to my app's /callback path AND including the query string, but when Chrome does the redirection it drops the query string. It seems this behavior may have started recently and was intermittent yesterday but consistent today. Since the 302 redirect goes from auth0.com to my app's domain, is this some new cross site security feature?

Here are the requests trail:

POST to https://my-app.auth0.com/login/callback with the token, etc. in the body.

Response is HTTP 302 with a location header like: https://myapp.com/callback#access_token=...

GET to https://myapp.com/callback <-- no query string!

I'm using Chrome Version 80.0.3987.149 (Official Build) (64-bit) on Ubuntu Linux in incognito mode. Any help appreciated!

Answer 1

The #access-token... part of the URL is not a query string, but a URL fragment. The browser retains this and applies it to the returned page content. You can access this fragment from JavaScript on the page. This is the standard approach that Auth0 uses for single-page apps.