{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 时光不老,我们不散 的问题《URL fragment missing from redirect URI》','https://www.manongdao.com/q-1111626.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm testing a Qt based OAuth library (https://github.com/pipacs/o2). I'm testing OAuth 2.0 against Facebook as the provider.
I'm testing the ImplicitGrant flow of the protocol. In this flow, if a client sets the *request_type* query param to token, then the response is included as a URL fragment and contains an access token.
Facebook, on successful authentication in the browser, responds back with a redirect to the uri that I provide and the access token is sent in the URL fragment.
Eg: the browser is redirected to:
http://mylocalserver.com:8888/#access_token=ABCDE&expires_in=5162322
mylocalserver.com=localhost
I have a tiny HTTP server implemented in Qt which handles all such redirects.
The problem is that on getting an incoming connection, i.e from the browser which initiated it on a redirect, when I read the data from the socket, I see that the fragment part is missing! Eg: for the above local url, the data I'm seeing is:
GET / HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive
As you can see the fragment is completely missing. Looking around for this problem, I found that FF/Chrome might put fragments in the Location header. But I don't see that either.
Any idea as to why the fragment is getting lost and how to get it back/instruct the browser to send it?
The implict flow is meant to be used in situations where there's no "server". Fragments (and the access token in it) would be extracted by client side code (e.g. javascript, native clients, etc). That is for situations where you can't keep a secret securely. When you can (as in a server), you typically use the authorization code flow. The fragment missing in the GET to the server is expected.