URL片段从重定向URI失踪 [英] URL fragment missing from redirect URI

问题描述

我测试一个基于Qt的OAuth库（ https://github.com/pipacs/o2）。我测试的OAuth 2.0对的Facebook 作为供应商。

I'm testing a Qt based OAuth library (https://github.com/pipacs/o2). I'm testing OAuth 2.0 against Facebook as the provider.

我测试了协议的 ImplicitGrant 的流动。在该流程中，如果客户端设置* request_type *查询参数到的令牌的，那么响应包括作为网址片段，并包含一个访问令牌

I'm testing the ImplicitGrant flow of the protocol. In this flow, if a client sets the *request_type* query param to token, then the response is included as a URL fragment and contains an access token.

脸谱，浏览器中的成功认证，响应回来重定向到我提供和访问令牌中的的 URL片段的发送的URI。

Facebook, on successful authentication in the browser, responds back with a redirect to the uri that I provide and the access token is sent in the URL fragment.

例如：浏览器重定向到：

Eg: the browser is redirected to:

http://mylocalserver.com:8888/#access_token=ABCDE&expires_in= 5162322

mylocalserver.com =本地主机

mylocalserver.com=localhost

我在Qt中实现一个微小的HTTP服务器用于处理所有这些重定向。

I have a tiny HTTP server implemented in Qt which handles all such redirects.

问题是，在得到传入连接，即从开始它重定向浏览器，当我从套接字读取数据时，我看到的片段部分的丢失的！例如：以上本地URL，我看到的数据：

The problem is that on getting an incoming connection, i.e from the browser which initiated it on a redirect, when I read the data from the socket, I see that the fragment part is missing! Eg: for the above local url, the data I'm seeing is:

GET / HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

正如你所看到的片段是完全丢失。环顾对于这个问题，我发现，FF /铬可能把碎片在位置头。但我不明白，要么。

As you can see the fragment is completely missing. Looking around for this problem, I found that FF/Chrome might put fragments in the Location header. But I don't see that either.

任何想法，为什么片段迷路，以及如何把它找回来/指示浏览器发送它？

Any idea as to why the fragment is getting lost and how to get it back/instruct the browser to send it?

推荐答案

的隐的流量意味着情况下使用那里没有服务器。片段（和它的访问令牌）将通过客户端code（例如JavaScript中，本地客户端等）中提取。这是，你不能保持的秘密的安全情况。当你可以（在服务器），通常使用授权code流量即可。在GET到服务器缺少片段预期

The implict flow is meant to be used in situations where there's no "server". Fragments (and the access token in it) would be extracted by client side code (e.g. javascript, native clients, etc). That is for situations where you can't keep a secret securely. When you can (as in a server), you typically use the authorization code flow. The fragment missing in the GET to the server is expected.

这篇关于URL片段从重定向URI失踪的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！