Access Token prefixed with # rather than?

CodeSpent · March 4, 2019, 6:21pm

Just curious why the querystring parameter for access_token is prefixed with #access_token= rather than a standard ?access_token=

Example URL:
http://localhost:8000/auth/twitch/#access_token=

I end up having to take hacky approaches because of this & just generally unsure why this is returned this way?

Dist · March 4, 2019, 6:53pm

Twitch responds with https://<your registered redirect URI>#access_token=<an access token> for the Implicit OAuth flow because that is what the industry standard calls for so Twitch (like every other site using OAuth that sticks to the specifications for the Implicit grant type) responds according to that standard and uses #access_token=.

Alternatively, unless your app specifically needs to use the Implicit flow, it may be beneficial to use the Authorization Code Flow as then Twitch’s response will user a ?code= querystring param, which can be POST’ed to Twitch which responds with access/refresh/expiration/scopes etc… in the response body.

BarryCarlyon · March 4, 2019, 7:16pm

To put it another way, becuase you told it to.

You got and asked for

But you expected

CodeSpent · March 4, 2019, 10:33pm

How would I have told it to?

My redirect URI is http://localhost:8000/auth/twitch/ not http://localhost:8000/auth/twitch/#

In no way am I directing this behavior intentionally, so what would cause this?

Redirect View:

def twitch_auth_redirect(request):
    twitch_url = 'https://id.twitch.tv/oauth2/authorize?response_type=token&client_id={1}   \
        &redirect_uri={0}&scope=user_read+channel_subscriptions+user:read:email'.format(
        config.twitch_redirect_uri,
        config.twitch_client_id
        )

    return redirect(twitch_url)

I’ve had this issue in the past, and just used substring to make it valid. Anything stand out to you?

CodeSpent · March 4, 2019, 10:35pm

Disregard, I missed the other message. Looking over docs now.

Edit: I see my error and misunderstanding. I’m adjusting, thanks for the guidance.

For future readers, the issue was that I was inadvertently using Implicit Flow as opposed to Authorization Code Flow because I didn’t append response_type=code to my request.

BarryCarlyon · March 4, 2019, 11:19pm

You got it!

system · April 3, 2019, 11:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.