1

I have an Spring OAuth2 server set up and it's working fine when the clients authenticate. The issue is that when the client is the browser the access token is show on the redirect URL on the address bar and the browser remembers it.

Is there a way for the Authentication server to send back the access token in a safer way while still redirecting.

FourtyTwo
  • 734
  • 8
  • 19
  • You are using the implicit flow, right? – dur Jan 29 '18 at 12:36
  • Yes I am using it. – FourtyTwo Jan 29 '18 at 12:41
  • It's an angular app. The idea is to have all browser clients authenticating to a single sign in page on the authentication server then redirect it back with the tokens. Maybe those token inside a header or something. – FourtyTwo Jan 29 '18 at 15:10
  • There is no way to change it, the spec is clear in this point. You could instead use the "code" flow, which returns the access token in reponse body without any redirect. – dur Jan 29 '18 at 15:30
  • The issue with that is that now the client must have it's credentials hard coded and available for everyone to see – FourtyTwo Jan 30 '18 at 09:16
  • Yes, I know. The "code" flow is made for a web app, which can save the credentials, so that nobody can see the credentials. – dur Jan 30 '18 at 09:41

1 Answers1

1

The OAuth 2.0 Form Post Response Mode introduces a new transport mode for the access token response based on a form POST.

To use it, it has to be implemented in your authorization server and the query parameter response_mode with the value form_post has to be understood.

As far as I know, there is no specification related to a transport using a reponse header.

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64