OAuth 2.0: Can a user-agent client avoid forwarding fragments?

Posted by Bosh on Stack Overflow See other posts from Stack Overflow or by Bosh
Published on 2010-05-20T15:01:49Z Indexed on 2010/05/20 23:20 UTC
Read the original article Hit count: 311

Filed under:

oauth

|

user-agent

|

authentication

In the OAuth 2.0 draft specification, user-agent clients receive authorization in the form of a bearer token via redirection (from an authentication server) to a URL such as

HTTP/1.1 302 Found
Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600

According to Section 3.5.2 it is then the user-agent's job to GET the URL in question, but "The user-agent SHALL NOT include the fragment component with the request." In other words, as a result of the example redirection above, the user-agent should

 GET /rd HTTP/1.1
 Host: example.com

without passing #access_token to the server.

My question: what user agents behave this way? I thought redirection in Firefox, for example, would (logically) include the fragment in the GET request. Am I just wrong about this, or does the OAuth 2.0 specification rely on non-standard user-agent behavior?

© Stack Overflow or respective owner

Related posts about oauth

Issues POSTing XML to OAuth and Signature Invalid with Ruby OAuth Gem

as seen on Stack Overflow - Search for 'Stack Overflow'
[Cross-posted from the OAuth Ruby Google Group. If you couldn't help me there, don't worry bout it] I'm working on integrating a project with TripIt's OAuth API and am running into a weird issue. I authenticate fine, I store and retrieve the token/secret for a given user with no problem, I can even… >>> More
how do i install PHP with JSON and OAuth on Mac Snow Leopard?

as seen on Server Fault - Search for 'Server Fault'
i want to use the dropbox api via this library http://code.google.com/p/dropbox-php/ i installed MAMP then I tried "sudo pecl install oauth" but I got downloading oauth-1.0.0.tgz ... Starting to download oauth-1.0.0.tgz (42,834 bytes) ............done:… >>> More
How do I install PHP with JSON and OAuth on Mac Snow Leopard?

as seen on Server Fault - Search for 'Server Fault'
I want to use the Dropbox API via this library, http://code.google.com/p/dropbox-php/. I installed MAMP, and then I tried sudo pecl install oauth but I got the following. >>>> downloading oauth-1.0.0.tgz ... Starting to download oauth-1.0.0.tgz (42,834 bytes) ............done: 42… >>> More
Oauth for Google API example using Python / Django

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am trying to get Oauth working with the Google API using Python. I have tried different oauth libraries such as oauth, oauth2 and djanog-oauth but I cannot get it to work (including the provided examples). For debugging Oauth I use Google's Oauth Playground and I have studied the API and the… >>> More
OAuth::Problem (parameter_absent)

as seen on Stack Overflow - Search for 'Stack Overflow'
Im working with OAuth 0.3.6 and the linkedin gem for a Rails application and I have this issue where OAuth throws an error saying that OAuth::Problem (parameter_absent). The thing is it doesn't throw the error on every occasion its called and the problem is I am unable to reproduce the issue locally… >>> More

Related posts about user-agent

What does it mean when a User-Agent has another User-Agent inside it?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
Basically, sometimes the user-agent will have its normal user-agent displayed, then at the end it will have teh "User-Agent: " tag displayed, and right after it another user-agent is shown. Sometimes, the second user-agent is just appended to the first one without the "User-Agent: " tag. Here are… >>> More
blocking bad bots with robots.txt in 2012 [closed]

as seen on Pro Webmasters - Search for 'Pro Webmasters'
does it still work good? I have this: # Generated using http://solidshellsecurity.com services # Begin block Bad-Robots from robots.txt User-agent: asterias Disallow:/ User-agent: BackDoorBot/1.0 Disallow:/ User-agent: Black Hole Disallow:/ User-agent: BlowFish/1.0 Disallow:/ User-agent: BotALot Disallow:/ User-agent:… >>> More
JavaScript - get detailed information about the browser

as seen on Stack Overflow - Search for 'Stack Overflow'
Basically I'm looking for something to give me easy access to information like useragentstring.com, but in JS, without me parsing the user agent and looking for each possible bit of text. The object could be something like this: browser = UserAgent.Browser; // Chrome browserVer… >>> More
User Agent in http client Android

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi everybody, I building an Https Client to send some data to a server, but I don't know what to pass in User-Agent. Should I use the webkit one's or do I have to build one explicitely for my App? I'm using this handy post Thanks for any help >>> More
Urlscan 3.1 block User Agent

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to block requests from certain User Agents to our Sharepoint Environment that have been identified after going through the IIS logs. I have tried the below by amending the urlscan.ini config file and doing and iisreset, but it doesn't block anything. Am I entering the correct strings? I'm… >>> More