Can I get the URL location parameters after a #? Auth0

Bentley_Davis · June 9, 2020, 4:01pm

Can I get the URL location parameters after a #?

I’m attempting to implement Auth0 with Appguyver. I am getting a successful callback after the login but the data after the “#” is removed from the URL early in the process

The response header from Auth0 is "
location: https://preview.appgyver.com/index.html?version=dev&appId=201260&pageId=DolanApp&appHash=4b12663ec462759526c0cc89636ae14e5f8b1108f7294a189aa370e57062e6ae&dolanApiVersion=2&env=appgyver.com&path=null&name=Auth%20Ext**#access_token=vRq4N5J_ByB0_zT0zAjRGfb9eNRaV5hv&expires_in=7200&token_type=Bearer&state=STATE**"

But in the address bar I just see “https://preview.appgyver.com/index.html?version=dev&appId=201260&pageId=DolanApp&appHash=4b12663ec462759526c0cc89636ae14e5f8b1108f7294a189aa370e57062e6ae&dolanApiVersion=2&env=appgyver.com&path=null&name=Auth%20Ext”

I tried adding a page parameter for access_token and I even tried a self.window.location.href in a JavaScript node on the page mounted event but apparently that is after the # data has been removed.

Harri_Sarsa · June 10, 2020, 12:01pm

I’ll check with the native team – could be that that’s an unsupported case ATM. I assume you are using https://auth0.com/docs/flows/guides/implicit/call-api-implicit and there’s no possibility of a server component to use https://auth0.com/docs/flows/guides/auth-code/call-api-auth-code instead (or include client_secret in the app code)?

Bentley_Davis · June 10, 2020, 3:58pm

When you say “native team” are you implying this is for a mobile app? This is for a web app. Is there a reason you though it was for a native/mobile app or am I misunderstanding what you mean by “native”?

Bentley_Davis · June 10, 2020, 4:04pm

Yes, point of using Auth0 is so that I don’t need to host my own service for this. Although Auth0 uses the # for security purposes, so even if I had my own service it would still be more secure to do it this way.

If I am understanding you when you say “include client_secret in the app code” is also insecure as you pass the app code to the client, so it is no longer secret. I don’t see in AppGyver anyplace to securely store and use a client secret. That should be made clear in the documentation.

Harri_Sarsa · June 11, 2020, 9:23am

Yeah, storing the client_secret in app code is obviously insecure, but could be tolerable for demo/internally distributed app.

It does look like the part in the URL after # is unfortunately inaccessible before further development on our end – listed this as a bug now https://tracker.appgyver.com/bug-reports/p/hash-values-in-web-app-urls-are-not-accessible

Super sorry that you’ve run into so many blockers with this, if there’s anything we can do (apart from fixing the bug ASAP), let me know!

Tobias_Heinz · August 21, 2020, 5:17pm

Has anyone been successful using Auth0 with composer pro? Does anyone know of a working example?
Thanks!

crisacosta · November 9, 2021, 4:10pm

I try use javascript for this.
domain.com/#parameter=value

The method is window.location.hash

But I don´t have success