This might be a newbie question but I couldn't find any answers to this on SO or Okta forums/guides. I've configured my Okta app to redirect to https://localhost:443/auth/callback when a user signs in and grants consent to a scope. I'm using implicit grant and the redirect works but in my /auth/callback, the request query, headers, and body doesn't contain the access token. It's only when I call res.end() that Express redirects to the below URL:
https://localhost/auth/callback#access_token=accessTokenHere&token_type=Bearer&expires_in=3600&scope=openid+phone&state=myState
How do I retrieve the access token? My express route:
router.get('/auth/callback', (req, res) => {
console.log(req.headers); // no access token here
console.log(req.body); // {}
console.log(req.body); // {}
res.end(); // redirects to https://localhost/auth/callback#access_token=accessTokenHere&token_type=Bearer&expires_in=3600&scope=openid+phone&state=myState
});
That's because, what comes after # in the URL is called URI fragment identifier and it won't be sent to the server it's used in the browser and can be accessed via window.location.hash
Instead of # you can use ? (and keep the part after it as it is) which called query parameters and can be accessed via req.query.query_name, in your case query_name is access_token, token_type, expires_in...