[Solved] OAuth2 redirect URL query string is malformed after successful login

#1

Hi !
I am using Implicit authentication flow.

  1. User clicks on https://sketchfab.com/oauth2/authorize/?state=xxx&response_type=token&client_id=xxxx&approval_prompt=auto
  2. After successful approval, I get redirected to the good URI, but the query string is malformed ie: http://mydomain.com/path#state=xxx&access_token=yyy&expires_in=2592000&scope=read+write&token_type=Bearer

There is a # instead of a ? in the URL.
In case of a denial of approval, redirect URI is well formed though (http://mydomain.com/path?error=access_denied&state=xxx)

Is it normal ?
Thanks!

1 Like
#2

Hey there !

This is indeed the intended behaviour regarding the Implicit grant. The reason being that the Implicit grant is inherently less secure and so in short it has some additional safeguards. I see two alternatives here:

  • Use the “state” parameter to pass your data (e.g. base64-encode a json object)
  • Use a more robust oauth flow, typically the auth code, if that is a possibility for you.

Hope this helps,

AJ

1 Like
#3

Hi @arthurjamain, thanks for answering. Just to be sure I have well formulated :
My problem is the < # > character in the URL part. I can’t use “classic” ways to get params because it’s not a standardized query string with a < ? > character.

Makes sense ?

1 Like
#4

Yep makes sense, I confirm this is indeed intended. For reference, google or facebook oauth should typically behave in a similar manner.

It is a form of valid query string though ; the separator is just different and it’s technically not a part of a query string.

The point is to prevent injections / leakage to foreign domains, in short.

3 Likes
#5

Thanks, that’s OK for me. I didn’t know about this behaviour, sorry for the misunderstanding.

Cheers,

Xavier

2 Likes