0

This might be a newbie question but I couldn't find any answers to this on SO or Okta forums/guides. I've configured my Okta app to redirect to https://localhost:443/auth/callback when a user signs in and grants consent to a scope. I'm using implicit grant and the redirect works but in my /auth/callback, the request query, headers, and body doesn't contain the access token. It's only when I call res.end() that Express redirects to the below URL:

https://localhost/auth/callback#access_token=accessTokenHere&token_type=Bearer&expires_in=3600&scope=openid+phone&state=myState

How do I retrieve the access token? My express route:

router.get('/auth/callback', (req, res) => {
    console.log(req.headers);  // no access token here
    console.log(req.body);  // {}
    console.log(req.body); // {}
    res.end(); // redirects to https://localhost/auth/callback#access_token=accessTokenHere&token_type=Bearer&expires_in=3600&scope=openid+phone&state=myState
});
Zack
  • 49
  • 2
  • 6

2 Answers2

0

That's because, what comes after # in the URL is called URI fragment identifier and it won't be sent to the server it's used in the browser and can be accessed via window.location.hash

Instead of # you can use ? (and keep the part after it as it is) which called query parameters and can be accessed via req.query.query_name, in your case query_name is access_token, token_type, expires_in...

Marik Ishtar
  • 2,899
  • 1
  • 13
  • 27
  • 1
    thanks! looks like Okta won't send the token in query params if using implicit grants though so had to redirect to an html page/route. thanks for putting me on the right path though! – Zack Oct 25 '20 at 02:23
0

The [responseMode][1]

[1]: https://github.com/okta/okta-auth-js#responsemode-1 could be set to one of these values: fragment, form_post, query or okta_post_message. Ref: https://developer.okta.com/docs/reference/api/oidc/#request-parameters

hawk
  • 116
  • 4