I am trying out social login with Auth0 (here with Github) and after going to https://AUTH_DOMAIN/authorize?client_id=CLIENT_ID&response_type=token&redirect_uri=http://localhost:3001/api/private I get redirected through Github login and then I get redirected at: http://localhost:3001/api/private#access_token=TOKEN&expires_in=7200&token_type=Bearer Is that correct? This is not a request param which I can read on server side. Am I doing something wrong?
After being redirected from AUTH0_DOMAIN/authorize to callback I get token but only in CALLBACK_URL#access_token=TOKEN form
response_type=token in the authorization endpoint request which signals you’re performing an implicit grant where the issued response will be delivered to the client-side components of your web application (by default this is achieved by including the response in the fragment component of the redirect URL).
The above is useful for browser-based application (SPA’s) where the application logic is on the client-side and as such the tokens need to be available there.
If you have a more traditional web application where the issued tokens will be used from the server-side and not from the client-side then you should be using an authorization code grant by configuring
response_type=code. This, by default, will trigger the response to be included in the query component of the redirect URL and as such available to the server-side. Have in mind that in this mode you’ll need to perform an additional request to actually obtain the tokens. See the following documentation for more information: https://auth0.com/docs/api-auth/grant/authorization-code