0

I have problems reading the parameters with the following URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&state=xyz&token_type=example&expires_in=3600 Example from: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3

I receive the request with simple implementation of com.sun.net.httpserver.HttpServer for integration test purposes. Apparently, the HTTPServer can not handle the # symbol in the URL.

Here is my code. The System.out prints only: /oidc_test_callback

What do I need to do to read the parameter 'access_token'?

class OidcCallbackServer {

private final HttpServer server;
private final OidcCallbackHandler oidcCallbackHandler;

OidcCallbackServer(final int port) throws IOException {
    this.server = HttpServer.create(new InetSocketAddress(InetAddress.getLocalHost().getHostAddress(), port), 0);
    this.oidcCallbackHandler = new OidcCallbackHandler();
    this.server.createContext("/oidc_test_callback", this.oidcCallbackHandler);
    this.server.setExecutor(null); // creates a default executor
    this.server.start();
}

private class OidcCallbackHandler implements HttpHandler {
    
    @Override
    public void handle(final HttpExchange request) throws IOException {
        URI requestURI = request.getRequestURI();
        System.out.println(requestURI);
    }
}

Here is my URL for the Keycloak Server: https://keycloak:8443/auth/realms/testRealm/protocol/openid-connect/auth?client_id=my_client_id&redirect_uri=http%3A%2F%2F192.168.202.105%3A50022%2Foidc_test_callback&response_type=id_token&scope=openid+profile&state=vZq7QdXKXsHQ3cF8hczQ4cUgPNjMjfqij-cgI7pIv4E&nonce=wHzXl08I49_OzYkA5lJkn0ZEitWZfJQFEoF12bMoK3A

...and it results in: http://my-local-ip:50022/oidc_test_callback#state=vZq7QdXKXsHQ3cF8hczQ4cUgPNjMjfqij-cgI7pIv4E&session_state=d23b427b-99fa-4bcb-a939-b66a3e91d77d&id_token=---content-of-id-token---

When "response_type" in the first URL is "code" instead of "id_token" the URL looks like: http://192.168.202.105:50022/oidc_test_callback?state=VgWjE0IxIc2JV3iZ14KzLsXGeBPtvKeJURnNL2yE9FA&session_state=d23b427b-99fa-4bcb-a939-b66a3e91d77d&code=4cc3a01a-a0d1-482c-8bb6-163a4d7fe287.d23b427b-99fa-4bcb-a939-b66a3e91d77d.f0001f26-ff85-47c6-befa-76f97a68ad02

SO there is no "#" symbol but the common "?".

Amen
  • 80
  • 8
  • You cannot invoke you server with the given URL (http://example.com/cb...). What URL are you invoking? – pringi Feb 08 '22 at 11:37
  • **The server never _receives_ the fragment;** dupe https://stackoverflow.com/questions/3664257/why-is-the-hash-part-of-the-url-not-available-on-the-server-side and https://stackoverflow.com/questions/40814925/number-sign-hash-symbol-breaks-code . **If you want _parameters_** on an HTTP GET, the syntax is `host:port/path/to/resource?a=1&b=2&c=3&etc` with a **questionmark not a hashsign**. (For a POST, the parameters are in the body.) – dave_thompson_085 Feb 08 '22 at 12:42
  • Also see https://en.wikipedia.org/wiki/Uniform_Resource_Identifier#Syntax and particularly the link 'fragment identifier' to https://en.wikipedia.org/wiki/URI_fragment which says "Fragments ... are evaluated by the client (browser) [and not sent to the server]." – dave_thompson_085 Feb 08 '22 at 12:57
  • Thanks for the information! Im going to extract the URL from my headless browser. This will work for my testing. – Amen Feb 08 '22 at 13:13

0 Answers0