0

Under implicit grant type - access token is sent as a fragment not as a parameter. For example: http://localhost/#state=123456789&token_type=Bearer&access_token=xxxxxxxxxxxxxxxxxxxxxxx&scope=write+read&expires_in=2592000.

How can I access it from c# ?

    HttpListener listener = new HttpListener();
    listener.Prefixes.Add("http://localhost/");
    listener.Start();
    System.Diagnostics.Process.Start("https://sketchfab.com/oauth2/authorize/?state=123456789&response_type=token&client_id=yyyyyyyyyyyyyyyyyyyyyyyyyyy");
    HttpListenerContext context = listener.GetContext();
    HttpListenerRequest request = context.Request;

    // request.QueryString doesn't contain access_token

    listener.Stop();

Edit: As far as I understand from How can I get the hash of an url? - I can not access this information from the server.

The last answer here Is it possible to use OAuth 2.0 without a redirect server? doesn't address Implicit Grant Type.

Andrey
  • 5,932
  • 3
  • 17
  • 35
  • Can you get results using postman? If so use a sniffer like wireshark or fiddler and capture first request in postman and compare to c# application. Then make c# look like postman. – jdweng Dec 20 '19 at 13:09
  • I never dealt with postman. I see the access_token in URL string in browser. But I can not access it from c#. I think it should be more or less simple. – Andrey Dec 20 '19 at 13:16
  • You can look capture the browser results instead of postman. Both will give clues why you cannot get in c#. – jdweng Dec 20 '19 at 13:35
  • I created a simple page as a response. In Chrome I see token there in BaseURI property. As far as I understand the problem is that fragments dont go to server. May be I should add some code to the response page to exract it ? – Andrey Dec 20 '19 at 14:38
  • Fragments could mean a lot of different things, as well as, don't go to server. Redirection means the URL is not correct. Also you could have an issue if the credentials are not the same. A URL is really just a html (or equivalent) file on a machine and you may not have the credentials to access the file. – jdweng Dec 20 '19 at 16:23
  • I have edited question a bit to make it clearer. Redirection doesn't mean the URL is not correct - it is a normal part of OAuth. Fragment means a part of URL following # symbol – Andrey Dec 20 '19 at 20:27
  • Why do you need a hash for the URL? If you see the authorization code in the response then you just need to remove the authorization code from the response. – jdweng Dec 20 '19 at 23:54
  • As far as I understand - I see the response in "request" variable. But there is no token (token is not authorization code - it is another Grant Type). OAuth sends token somewhere and I just see my simple page in web browser with an URL – Andrey Dec 21 '19 at 08:13
  • I suspect there is something wrong with a cookie. Can you see a cookie in the request? You are using HTTPS (secure) so there should be a SSL/TLS (TCP messages) exchange. So either the cookie is bad and the server is rejecting the connection (a previous SSL/TLS exchanged failed using the cookie); or the SSL/TLS exchange failed. Do you have a certificate? There may be issues with the certificate. – jdweng Dec 21 '19 at 10:19

0 Answers0