oauth2 token collecting

[lucwillems]

Hi,
i'm using your tool to test some internal api servers we are building and there using oauth2 tokens using implicit flow.

i have setup the oauth2 configuration , and as redirect URL i point it to a personal public test site (https://t-m-m.be) which if it sees the oauth2 token , dumps the value for verification.

now the oauth2 provider is a spring based application which includes the token as a URL fragment
example : https://t-m-m.be/#access_token=eyJhbGciOiJIUzI1NiIs.....

the tool doesn't seems to get the token , and closing the login window it reports this error :

Window was closed before target url was loaded.

is there some config missing or something else ...

[lucwillems]

some extra remark ,
spring adds the token as a url fragment together with some extra fields as URL parameters,
as the token is large (+/- 780 bytes) you have to scroll to the end of the url to see additional &=
maybe this is unexpected by the tool ?
currently we have something like this in the redirect url

https://t-m-m.be/#access_token=<long token>&token_type=bearer&expires_in=86399

so more than the token itself

[frigus02]

Hi, thanks for taking the time to report this. Putting the token in the URL fragment, together with the token type and expiration time is how OAuth 2 wants you to do it (if I remember correctly). And this is also what RESTer supports, or is supposed to support.

There has to be a bug in RESTer, which breaks the token detection for some reason. I will have a look at it.

[frigus02]

I could reproduce the issue if the specified redirect URI has an empty path, i.e. ends with the top-level domain and has no trailing slash. It should be fixed in the next update.

[frigus02]

Version 3.8.2 is out and contains the fix.