Spotify Redirect adds character before parameters

Question

Problem

I am currently creating a ASP.NET application that has the user login to Spotify before use using the Spotify Web API.

Upon calling the API you specify a response_type, client_id, scope, redirect_uri, and state. When you make the call it redirects you to the "redirect_uri" with the users information as paramaters in json, since I wanted to use the WPF Web Browser I had to add this into my code to allow IE to view JSON (More information here).

   private bool SetRegistery()
    {
        try
        {
            using (var hklm = RegistryKey.OpenBaseKey(RegistryHive.ClassesRoot, RegistryView.Registry64))
            {
                using (RegistryKey key = hklm.OpenSubKey(@"MIME\Database\Content Type\application/json", true))
                {
                    if (key != null)
                    {
                        key.SetValue("CLSID", "{25336920-03F9-11cf-8FD0-00AA00686F13}");
                        key.SetValue("Encoding", new byte[] { 0x80, 0x00, 0x00, 0x00 });
                    }
                }
            }
            return true;
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }
        return false;
    }

The URL that I first go to is:

https://accounts.spotify.com/authorize?response_type=token&client_id=...&scope=user-read-private+user-read-email&redirect_uri=http%3A%2F%2Fhttpbin.org%2Fget&state=...

The redirect URI is http://httpbin.org/get, which just responds with the passed JSON but when the spotify API redirects me the url comes out to:

http://httpbin.org/get#access_token=...&token_type=Bearer&expires_in=3600&state=...

Instead of the # between the parameters its suppose to be a ?, correcting this manually gives me the result I need.

http://httpbin.org/get?access_token=...&token_type=Bearer&expires_in=3600&state=...

Url Generation

        SpotifyAuthentication spotifyAuth = new SpotifyAuthentication();
        string scope = "user-read-private user-read-email";
        string redirect_uri = "http://httpbin.org/get";
        string state = randomString(16);
        string url = "https://accounts.spotify.com/authorize";
        url += "?response_type=token";
        url += "&client_id=" + WebUtility.UrlEncode(spotifyAuth.clientID);
        url += "&scope=" + WebUtility.UrlEncode(scope);
        url += "&redirect_uri=" + WebUtility.UrlEncode(redirect_uri);
        url += "&state=" + WebUtility.UrlEncode(state);
        authenticationBrowser.Url = new System.Uri(url);
        Debug.WriteLine(new System.Uri(url));

Things I have tried

• When I copy the Spotify URL into my browser it gives the same result which means it isn't on my client side other than maybe in my URL generation above.
• I have tried editing the Navigating event of the browser to edit the url before it redirects but for some reason the function doesn't detect the redirect.

Answer 1

What you seem to be describing is the Implicit Grant Flow from the Authorisation Guide where the final redirect URL is a hash fragment - which is denoted with the # rather than a query string which would be ? instead. This is the correct behaviour - you should be able to read these values from the WPF web browser by getting the Url.Fragment value which will contain the redirected values, however if there's an error or user denies the request this will be a query string value like you expect.