2,854 questions
There's a context.Request.Uri.Fragment you can use. You'll just need to split on the = sign.
HttpListenerContext Request QueryString
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 32%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFR%3C/text%3E%3C/svg%3E)
Frederico Regateiro
0
Reputation points
I've created a sample to do a oauth request toa service.
I'm using a HttpListener to receive the url query string from the redirect_uri, but the redirect_uri that the oauth server sends is like
http://localhost:62941/#access_token=
The # is causing the Request QueryString to be empty.
using var httpListener = new HttpListener();
httpListener.Prefixes.Add("http://localhost:62941/");
httpListener.Start();
//wait for server captures redirect_uri
HttpListenerContext context = await httpListener.GetContextAsync();
httpListener.Stop();
// the code is null because the QueryString is empty
var code = context.Request.QueryString.Get("access_token");
How can i read the uri from the redirect_uri?
Developer technologies | Windows Presentation Foundation
Developer technologies | C#
11,570 questions
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 9%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
P a u l 10,761 Reputation points2023-11-22T17:28:30.8366667+00:00 -
Frederico Regateiro 0 Reputation points
2023-11-22T18:01:50.0566667+00:00 No, the Fragment is empty.
-
P a u l 10,761 Reputation points
2023-11-22T21:41:38.5533333+00:00 Of course, I forgot that fragments aren't actually sent to the server from the browser.
The issue is that these
#access_tokenparameters are used for "Implicit Grant" types, which is a deprecated & insecure code flow used in client side authorisation.Typically you would use javascript to access this value (via
window.location.hash) & then managed that value in the browser without any additional server-side validation steps.https://oauth.net/2/grant-types/implicit/
In your example you have a server-side endpoint, which you would typically need for the "Authorisation Code Grant" type.
https://oauth.net/2/grant-types/authorization-code/
In this scenario the code is returned to your server & you'd validate it, then go back to your authorisation server to retrieve tokens, which can then be used to make subsequent authorised requests.
If your authorisation provider supports the implicit flow then they should definitely support the authorisation code flow as the former is deprecated.
-
Frederico Regateiro 0 Reputation points
2023-11-23T14:41:19.2+00:00 Thanks for the reply and clarification on this subject.
The server i need to connect only uses theresponse_type=token.I need to authenticate my users in a WPF app using this server, so my only option is to use a webview control like webview2 and forget the HttpListener?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 11%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hui Liu-MSFT 48,676 Reputation points Microsoft External Staff2023-11-24T09:26:30.1933333+00:00 Hi,@ Frederico Regateiro. Welcome to Microsoft Q&A Forum.
If you are dealing with the OAuth2.0 implicit flow to handle redirects and capture tokens from URL fragments, you could check out the following.
In OAuth 2.0 implicit flow, the authorization server usually sends the access token as part of the URL fragment to the client-side JavaScript. Handling OAuth 2.0 implicit flow often involves using a client-side technology, such as a browser, WebView, or embedded browser control, to handle redirects and capture the token from the URL fragment. The server-side component typically doesn't directly capture the access token in this flow.
Here's a simple example using the WebView2 control in a WPF application:
You could add the Microsoft.Web.WebView2 NuGet package.
MainWindow.xaml:
<Grid> <wv:WebView2 Name="webView" /> </Grid>Handle OAuth Flow in Code-Behind (MainWindow.xaml.cs):
using System; using System.Windows; using Microsoft.Web.WebView2.Core; public partial class MainWindow : Window { private const string AuthorizationUrl = "YOUR_OAUTH_AUTH_URL"; private bool isAccessTokenReceived = false; public MainWindow() { InitializeComponent(); webView.EnsureCoreWebView2Async(null); webView.Source = new Uri(AuthorizationUrl); webView.CoreWebView2.NavigationCompleted += CoreWebView2_NavigationCompleted; } private void CoreWebView2_NavigationCompleted(object sender, CoreWebView2NavigationCompletedEventArgs e) { if (!isAccessTokenReceived && e.Uri.Fragment.Contains("access_token")) { var uri = new Uri(e.Uri.AbsoluteUri); var accessToken = uri.Fragment.Split('=')[1]; MessageBox.Show($"Access Token: {accessToken}"); isAccessTokenReceived = true; Close(); } } }Replace "YOUR_OAUTH_AUTH_URL" with the actual OAuth authorization URL.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.