EVE API auth callback using hashtag for query strings

Hello everyone. Hopefully i’m posting this in the correct sub-forum…

Basically, after requesting auth from the EVE API (using implicit requests since it’s a frontend JS app), the API returns a token onto my given callback URL - however, instead of using questionmarks (?) to append the actual query string - the API returns a hashtag.

So basically instead of https://myapp.com/login?access_token={whatever-the-access-token} i get https://myapp.com/login#access_token={whatever-the-access-token}

This doesn’t make it a valid query string when it comes to using frontend routers or the URLSearchParams() method since it can’t detect it.

Is there a way of changing this?

This means you are using the implicit auth mode, only way to chance it would be not using implicit mode.

The answer there should work as well.

Implicit auth mode is the only way you can do it frontend-side according to the docs. Using the normal “code” to handshake fails due to CORS. Will take a look at the link. thnx

Edit: I managed to work around it by parsing the hash part of the url on my own. If anyone comes across this with the same problem here’s what i did (using Vue.js router btw):

const parsedParams = {};
this.$route.hash.split('&').map(part => part.replace(/#/, '')).forEach(param => {
   const parts = param.split('=')
   parsedParams[parts[0]] = parts[1]

This will return an object that looks like:

{  access_token: <tokenString>
   expires_in: "1199"
   state: <stateString>
   token_type: "Bearer"}
1 Like

Also maybe take a look at the V2 SSO stuff, https://github.com/esi/esi-docs/blob/master/docs/sso/native_sso_flow.md. Would allow you to implement the full flow without needing your client secret in the app.

Yup, that’s implicit request. That’s what i’ve been using since the beginning since requesting it the “usual” way fails immediately due to CORS :slight_smile:

Basically, you redirect the user to EVE login, and the API returns the access token back to you without handshaking and sending your app secret. The problem was API returning hash parameters instead of classic query params separated with “?” or “&”

But its not implicit flow. Implicit flow is when you get your token back in the callback. This method returns the code that you can use for getting a refresh token. The v2 url also has access-control-allow-origin: * so it should work fine doing it from your JS.

Yea, I skimmed over the docs and it looked like what I’ve been using already up to the point with the new base64/sha encoded random string. Will try this out instead of using the token gotten in the callback directly.


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.