up vote 1 down vote favorite

Concerning https://github.com/sinatra/sinatra/issues/596, which i wrongly diagnosed as a sinatra bug.

I'm having the following issue: I'm using Soundcloud OAuth workflow to implement single-sign-on in a project of mine. For that I'm using the "soundcloud" gem. So, after being redirected to soundcloud's sign-in/authorization form and pressing "Connect", I'm redirected back to the URL from my app I have specified as the redirect url... but some hash parameters come behind! So, let's say, instead of being redirected to "http://myapp.com/connect?code=123", I am instead being redirected to "http://myapp.com/connect?code=123#access_token=qwerty". Since hash parameters are not part of the HTTP protocol, it does have secondary effects on the server, but on the client, the bleepin hash params just do not go away! Basically, on my redirect endpoint, I'm fetching the code given by soundcloud, pinging Soundcloud's token exchange for a fresh access token, storing it and redirecting to my homepage, '/'. But the browsers do not clean the hash parameters on redirects, so that means I'm being redirected to "http://myapp.com/#access_token=qwerty". And that just sucks. Is there a workaround to this issue or is this a soundcloud "bug"? (Not exactly a bug because it doesn't break a thing, it is just plain ugly to have those hash params there).

share|improve this question
feedback

1 Answer

up vote 0 down vote accepted

[Answered the same thing in that thread that you've linked but will try to summarize that here]

One reason I can think is to ensure JS cross-compatible API. That is, when using JS to authenticate the user, this is the only way to read the result of the authentication url parameters - by parsing the attributes after the # in the URL. This is as far as I can reason with the design.

And yes, there is a work-around:

Actually, the API server has more features which are not implemented directly in the Ruby driver yet. The result of the client.authorize_url call is of this type:

"https://#{host}#{AUTHORIZE_PATH}?response_type=code_and_token
                                  &client_id=#{client_id}
                                  &redirect_uri=#{URI.escape redirect_uri}
                                  &#{additional_params}"
(Ignore the `additional_params` part for now)

The response_type parameter can take other values too but unfortunately, this is not a readily-available feature in the Ruby API wrapper. The possible values are:

  • response_type=code which embeds the code which can later be used to generate the access_token of the user. This can be done by running client.exchange_code(:code => params[:code]) as mentioned in the API reference docs.
  • response_type=token which embeds the access_token and avoids the code parameter. However, unlike the code parameter, the access_token is not a query parameter but is prefixed with a # and so, JS is the only way to get this value.

You can verify this here: http://developers.soundcloud.com/docs/api/reference#connect. One of the parameters than can be changed is the response_type. The additional parameters are display, state and scope which are listed out in the above link

share|improve this answer
already read your answer to the issue, just haven't had the time to test it. Will do it asap and come back at you with feedback. Will also report the code_and_token issue there, if it's a javascript hack, it should be present on their javascript wrapper, I'd say, and in the worst case scenario it should be an authorize_url() parameter. Monkey patching sux :) – ChuckE Jan 14 at 16:49
I did open up an issue on their GitHub page and pushed a commit to my repo. Was wondering why they would ignore such a simple option :) – Kashyap Jan 14 at 17:02
1  
Well, they ignored more than one thing. Let's just say this # issue is not my only Oauth integration problem with soundcloud. But that will stay for another issue/post . – ChuckE Jan 14 at 17:43
feedback

Your Answer

 
or
required, but never shown
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.