Okta - Retrieving Access Token

Question

This might be a newbie question but I couldn't find any answers to this on SO or Okta forums/guides. I've configured my Okta app to redirect to https://localhost:443/auth/callback when a user signs in and grants consent to a scope. I'm using implicit grant and the redirect works but in my /auth/callback, the request query, headers, and body doesn't contain the access token. It's only when I call res.end() that Express redirects to the below URL:

https://localhost/auth/callback#access_token=accessTokenHere&token_type=Bearer&expires_in=3600&scope=openid+phone&state=myState

How do I retrieve the access token? My express route:

router.get('/auth/callback', (req, res) => {
    console.log(req.headers);  // no access token here
    console.log(req.body);  // {}
    console.log(req.body); // {}
    res.end(); // redirects to https://localhost/auth/callback#access_token=accessTokenHere&token_type=Bearer&expires_in=3600&scope=openid+phone&state=myState
});

Answer 1

That's because, what comes after # in the URL is called URI fragment identifier and it won't be sent to the server it's used in the browser and can be accessed via window.location.hash

Instead of # you can use ? (and keep the part after it as it is) which called query parameters and can be accessed via req.query.query_name, in your case query_name is access_token, token_type, expires_in...

Answer 2

The [responseMode][1]

[1]: https://github.com/okta/okta-auth-js#responsemode-1 could be set to one of these values: fragment, form_post, query or okta_post_message. Ref: https://developer.okta.com/docs/reference/api/oidc/#request-parameters