SSO Callback query starting with '#' instead of '?'

The URL for logging in users I am currently using for testing purposes is https://login.eveonline.com/oauth/authorize/?response_type=token&redirect_uri=https://127.0.0.1:3000/callback/&client_id=d6f4e24a6f434544828a2d57e80aa651&state=login

The response URL I am getting after logging in is https://127.0.0.1:3000/callback/#access_token=token&token_type=Bearer&expires_in=1199&state=login

Is there any specific reason why the response URL has it’s query parameters starting with a hash (#) instead of a question mark (?)? This is kind of annoying because now I have to parse the URL myself because NodeJS can’t figure out where the query starts.

You are using implicit flow. Use online flow instead.

PS, don’t post access tokens publicly. Anyone can use them.

Just stopping by to laugh, and reinforce the above. Leaking your own token is no bueno.

EDIT: Yea you are requesting token not code

The implicit flow does them with a #, so it doesn’t actually hit any log files.

Understood, thank you. I am aware of the tokens, but they are only valid for 30 minutes and do not grant access to anything.

I am using the implicit flow to generate a session without any actual scopes. Should I use the online flow without requesting any scopes instead?

EDIT: Figured it out, sorry.

1 Like

They can grant with scopes. so they’re important.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.