0

We're having a very strange issue all of a sudden with Google's OAuth protocol. For the past 2 months, we have had working code here, and all of a sudden requests exchanging the authorization code for the access and refresh tokens are failing.

I noticed that on the response for the authorization code, there's an extra # appended to the URL as below:

http://localhost/?code=[AUTHORIZATION CODE]#

Pulling the parameter out results in [AUTHORIZATION CODE]# as the code, and passing this in to the token request endpoint causes a failure.

Removing the # from this string fixes the issue. Did Google change something today? I also noticed that there has supposedly been a spike in login outages since this morning on other sites like this. Any insights would be very helpful.

SGC
  • 1,025
  • 1
  • 6
  • 6
rebello95
  • 8,486
  • 5
  • 44
  • 65
  • interesting, I noticed the "#" too; but since the `code` is supposed to be sent to the backend, the browser would strip the fragment before calling the redirect URI; doesn't that happen in your case? – Hans Z. Apr 28 '15 at 16:22
  • @HansZ. Ah, may be because I'm using `webView:shouldStartLoadWithRequest:navigationType:` to pull out the `code`. I'm using the same code to handle logins with Exchange, Live, 365, and Google (and for some reason Microsoft's callback URLs don't allow custom URL schemes) so I had to do it this way. – rebello95 Apr 28 '15 at 18:07
  • technically your code is incorrect then since it plays the role of the User Agent and should strip the fragment like a regular browser would do... – Hans Z. Apr 28 '15 at 18:17
  • @HansZ. Hmm. Anything else it should strip aside from the `#`? – rebello95 Apr 28 '15 at 18:29
  • nope; about the fragment, see http://stackoverflow.com/questions/3664257/why-the-hash-part-of-the-url-is-not-in-the-server-side – Hans Z. Apr 28 '15 at 19:36

0 Answers0