I have a cognito setup (with only Implicit Grant enabled) and have http://localhost:8000/login as callback login URL specified.

I have a backend side(Node.js) which expects GET request on /login endpoint and I plan to parse/verify token there.

When login is done it redirects me to http://localhost:8000/login#id_token=...

The problem is that as I know the part of the URL starting with the # symbol is never sent to the server. So how can I receive the token from Node.js side?

CodePudding user response：

You shouldn’t be using implicit flow. It’s an outdated and insecure feature of OAuth. The token is passed in the hash specifically because it is meant for client side applications. Since you have a nodejs backend as your client you should be going through a authorization code (with PKCE) grant.

CodePudding user response：

What is the response type used? Is it response_type=id_token? In that case, in order to have it sent to a backend for a simple OIDC Login flow you have two options

1. add response_mode=form_post, which will result in the IdP triggering a self submitting POST form to your redirect_uri
2. add a "re-post" handler to your GET redirect_uri that will read the fragment portion and POST it to your backend.

Each of the two has its benefits as well as drawbacks.