Jul 24th, 2012, 04:02 PM
Thanks in advance!
Last edited by iv.hristov; Jul 24th, 2012 at 04:18 PM.
Jul 25th, 2012, 03:10 AM
You mean URL fragments (not URL parameters)?
If you want a server-side solution you need to look at the AuthorizationEnpoint. If you register your own implementation with a @RequestMapping for /oauth/authorize it should take precedence over the framework one, so that would be the place to start probably.
Jul 25th, 2012, 03:56 AM
Thanks for the hint about the /oauth/authorize precedence. In deed, I was just pondering how to hook-in the AuthorizationEndpoint.
As for the URL, I mean the URL parameters separated by ampersands:
which are appended to the redirect URL. What do you mean by URL fragments? I didn't see any # fragments being added to the URL.
Jul 25th, 2012, 04:03 AM
For an implicit grant there should be a fragment separator. Are you sure it's not there?
I don't know of any fully-baked JavaScipt libraries. Scott Andrews was working on something but he may have been distracted. Ping him on twitter @scothis.
Jul 25th, 2012, 04:13 AM
I have a fragment separator in my redirect_uri (as part of my target uri), but I can see in the console a DEBUG message from FilterChainProxy where the redirect_uri is well encoded so there are no fragment separators. How should I specify the authorization code grant type when doing the request?
Jul 25th, 2012, 04:22 AM
Per the spec you send response_type=token to the authorization endpoint. The JSO library should be doing that work you. Maybe if your redirect already has a fragment there is a bug in the endpoint, but I hope not. What does your client see in the response location header?
Jul 25th, 2012, 05:21 AM
Indeed, the JSO does the job with the response_type=token, I can see it in the logs. In the response location header I see:
Looking at the draft version of the standard, I see that the client will always be redirected. So I guess I can't simply initialize my access_token by asking the server to give me all the OAuth2 details in a response body.
What happens once the access token expires? Is the JSO client going to refresh it? On the server-side if I like to tune the token expiration how should I do ti correctly?
Jul 25th, 2012, 06:21 AM
I don't know how JSO handles expiry. I assume it grabs a new token (the same flow).
On the server side there are two settings you can configure: a global property of the *TokenServices, plus every client has their own value taht overrides the global setting if used. For more complicated logic you would provide a custom AuthorizationServerTokenServices.
Tags for this Thread