Comments (6)
brockallen
commented on July 30, 2024
1
So to your question I can answer: "URL processing would then have to scan for ?" (without special provisions to hashtag).
I'd have to think about it if I wanted to add it into the core. For now, you can do the parsing yourself and just pass it into the callback API.
Could you please point me to where "spec prohibits the callback URL to contain a #"?
https://tools.ietf.org/html/rfc6749#section-3.1.2
from oidc-client-js.
brockallen
commented on July 30, 2024
When you're using hashtags in the URL, this library will have no idea where your route ends and the OIDC response params begin. That's what on the callback APIs you can pass the params, as it looks like you're doing above. You just need to strip off the part before the params.
from oidc-client-js.
Ph47
commented on July 30, 2024
Generally - no. Route - is all things from '#' to '?'. I don't know about angular style but Durandal use '?' for query string. Even if you're right about two parts, OIDC parameters always last and named constantly (id_token, access_token). I see no reason to break URL scan after hashtag.
from oidc-client-js.
brockallen
commented on July 30, 2024
So the URL processing would then have to scan for ? after # in case it's a routing style URL. That sounds slightly presumptive, and that's why you always have the option to pass the URL you want processed in as a param to the callback APIs.
Technically the spec prohibits the callback URL to contain a #, but we leave this decision up to you.
from oidc-client-js.
Ph47
commented on July 30, 2024
So to your question I can answer: "URL processing would then have to scan for ?" (without special provisions to hashtag).
Could you please point me to where "spec prohibits the callback URL to contain a #"? I found only paragraph about Identifier Normalization. According to specification https://openid.net/specs/openid-authentication-2_0.htm only Identifiers MUST be normalized (include stripping fragment part). The openid.return_to is URL (not Identifier) and does not require normalization.
I pay so much attention to this issue because yours Identity Server is best tool for me in question of building SPA authorization. SPA must use # for route in compatibility purposes (https://en.wikipedia.org/wiki/Single-page_application).
SPA developers needed in such solution (oidc-client), as I wrote to you a year ago, and you did it. I am grateful to you for it.
from oidc-client-js.
brockallen
commented on July 30, 2024
Since you have a workaround, I'll close this.
from oidc-client-js.
Related Issues (20)
- Add usePkce flag to allow authorization_code flow without PKCE HOT 4
- Redirect the user back after a signout followed by a signin? HOT 1
- Support for Code Flow PKCE with Refresh tokens HOT 12
- UserManager.signinRedirect() returns a resolved promise even when the redirection isn't finalized HOT 2
- Latest version appears vulnerable to CVE-2021-30246 HOT 8
- Default storage mechanism not working HOT 2
- Call oauth token endpoint with http GET instead of POST HOT 1
- Claims with uri as a key returned as array HOT 3
- index.d.ts - Type definitions fΓΌr Global class are missing HOT 1
- Metadata: How to handle key rotation by AD admin HOT 3
- Possibility to use with SAML 2.0 Bearer Profile HOT 1
- Issue with B2C when an accessToken AND idToken is present - accessToken does not contain userinfo_endpoint
- Cookies deleted but the tokens are still in Local Storage HOT 4
- Logout with POST method instead of GET HOT 2
- Path `id_token_hint` is longer than the maximum allowed length (50). HOT 3
- Slient renew openid-configuration is being canceled
- Help needed on , STS logout then silent renew force to sign in
- Looking for a new maintainer HOT 3
- Bearer token type casing? HOT 2
- login_required error in web browser console when calling `signinRedirectCallback`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc-client-js.