Auth0 Home Blog Docs

In Passwordless is it possible to get access_token in the query string (?) instead of the fragment (#)?

access_token
passwordless
redirect-fragment

#1

Hi!

When clicking on sign in link in the email sent by Passwordless I would like to get the returned data in the query string instead of the fragment.

I.e now I get

http: //my-domain-and-path # access_token=…

But would like to get

http: //my-domain-and-path ? access_token=…




This way I could verify the token directly instead of needing to scrape it and send it to back-end as xhr.



Thanks! :slight_smile:


#2

From: https://stackoverflow.com/questions/40111082/auth0-callback-url-never-called

The id_token and access_token are
returned on the hash fragment when
you’re using a response type of token.
This is aimed for browser-based
applications that as a consequence
have access to the URL fragment.

If your application is a traditional
server-side web application you should
be using the code response type so
that an authorization code is sent to
your server-side as part of the query
string. Then on the server-side you
can issue a request to exchange this
code for the actual tokens.


#3

Yup, explicitly setting “responseType” to “code” when doing new auth0.WebAuth(...) solved it, thank you!


#4