I need to process the query parameters returned after a redirect.
I followed the redirect recipe by having a javascript fnuction in the client to redirect to the openid provider. When the open id provider is finished, it redirects back to the app. How do I isolate the query parameters used by the id provider.
They are in the form of a fragment marker at the end of the url as set out below:
My question is, does this redirect pass through the server? If so, how can I trap the fragment, process it and then return to a useful place in the client part of the app?
get_url_hash() gets the decoded hash (the part after the ‘#’ character) of the URL used to open this app.
If the first character of the hash is a question mark (eg https://myapp.anvil.app/#?a=foo&b=bar ), it will be interpreted as query-string-type parameters and returned as a dictionary (eg {'a': 'foo', 'b': 'bar'} ).
Ok. I have used it on the main form’s __init__ function. And it works fine. I am a bit concerned that it includes an id_token in the clear in the url. Is there some way I can clear it?
I’m not quite sure what you mean by that. It’s sent as part of the URL and therefore available to the client side code. You can pass it to a server side function so nothing client side is aware of how that id is decoded, used or processed.
maybe you could redirect to an http endpoint first?
There you could process the data as GET parameters (without the #) and then redirect using a 302 to the main app’s urls.
edit
so you would do this :
@anvil.server.http_endpoint("/myendpoint")
def process_endpoint():
# process the parameter data.
# create a new UID so the main app can know what to do
...
r = anvil.http.Response()
r.status = 302
r.Location("https://myapp.anvil.app/#?newid=xxxx")
return r
In that function you could create a uid and store it in a data table. Then use that as a # parameter to the URL which is meaningless to the onlooker, but can be used in a server side lookup to verify its authenticity.
This way, the original (and potentially the most sensitive) token is never visible.
The auth server has no ?, just /#. Therefore no parameters are being sent into the endpoint. Is there a function that can inspect the original request object in the call-back .../end_point?
@anvil.server.http_endpoint("/auth_endpoint")
def process_endpoint(*args, **kwargs):
# process the parameter data.
# create a new UID so the main app can know what to do
print("secrets", args, kwargs)
r = anvil.http.Response()
r.status = 302
r.Location("https://myapp.anvil.app/#?newid=xxxx")
return r
Me neither. I have an idea it could be a bug in the auth program. I think it should read /#? instead of just /#. I am not sure if they will agree with me though.
I have successfully routed it through the client. I think if I use a bit of javascript to push a clean url into history I should be ok.
The fragment is stripped off by the client before reaching the server; it’s meant for the use of the browser (or other client) to locate secondary resources within the resource retrieved.
… the fragment identifier is separated from the rest of the URI prior to a dereference, and thus the identifying information within the fragment itself is dereferenced solely by the user agent, regardless of the URI scheme. Although this separate handling is often perceived to be a loss of information, particularly for accurate redirection of references as resources move over time, it also serves to prevent information providers from denying reference authors the right to refer to information within a resource selectively.
Interestingly though, the fragment contains an id_token and was showing in the browser address bar. In the end, I used the function above to replace it with a cleaned up version.
