stackoom
  简体   繁体   中英

Spring OAuth2 implicit flow redirect url

 原文  2016-12-17 19:40:33       java/ spring/ spring-boot/ spring-security/ oauth2

Question

In my Spring Boot/OAuth2 application I'm trying to login user via my own OAuth2 server with implicit flow with a following url: 

http://example.com/api/oauth/authorize?response_type=token&client_id=example_client_id&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin

after login it redirects the user to the following url: 

http://localhost:8080/login#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOTcsInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVh&token_type=bearer&expires_in=43199&scope=read%20write&user_id=297&jti=9d416117-0d08-4f4e-874d-3f31dbe7815f

Is it a correct behavior that the user was redirected to the url with # symbol instead of ? .. I mean: 

http://localhost:8080/login?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOTcsInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVh&token_type=bearer&expires_in=43199&scope=read%20write&user_id=297&jti=9d416117-0d08-4f4e-874d-3f31dbe7815f

if no - how to set up my Spring application OAuth2 server in order to redirect user to a correct url ?

1 answers

solution1
 6 ACCPTED  2016-12-18 05:12:35

The behavior is correct. The authorization code flow requires that response parameters be embedded in the query part of a redirect URI (RFC 6749, 4.1.2. Authorization Response ) while the implicit flow requires that response parameters be embedded in the fragment part (RFC 6749, 4.2.2. Access Token Response ).

OAuth 2.0 Multiple Response Type Encoding Practices has defined a new request parameter, response_mode . The parameter specifies where response parameters should be embedded. In the specification, query , fragment and none are defined. In addition, OAuth 2.0 Form Post Response Mode has added form_post as a value of response_mode . If response_mode=form_post is included in an authorization request, response parameters are embedded as HTML form parameters.

You can find a table describing the relationship between response_type / response_mode combinations and HTTP status/response parameters' location in " 2. Response Format " in Authlete's Definitive Guide.

在此处输入图片说明

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Oauth2 implicit flow Spring oauth2 dont redirect to original url Spring Boot2 Oauth2 Implicit Flow - http://localhost:8080/oauth/authorize getting Access Denied Spring Boot and OAuth2: redirect url over reverse proxy Reactive Spring Security Oauth2 : invalid redirect url Spring Oauth2 client credentials flow example Simple Spring Oauth2 flow using Postman Redirect URL for Spring OAuth2 app on Azure with Active Directory: Invalid Redirect URI Parameter Spring 5 Security OAuth2 Login Redirect Loop Spring boot oauth2 response with redirect url as underlying service instead of proxy (Gateway)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM