dashboard/authcallback.html

<!DOCTYPE html>

<script>

(async function () {
    const params = new URLSearchParams(window.location.search);
    const code = params.get('code');

    if (!code) {
        console.error('No authorization code in callback URL');
        window.location.replace('/');
        return;
    }

    const codeVerifier = sessionStorage.getItem('pkce_code_verifier');
    const clientId = sessionStorage.getItem('pkce_client_id') || 'cid-webadmin';
    const apiOrigin = sessionStorage.getItem('pkce_api_origin') || '';

    sessionStorage.removeItem('pkce_code_verifier');
    sessionStorage.removeItem('pkce_client_id');
    sessionStorage.removeItem('pkce_api_origin');

    try {
        const response = await fetch(apiOrigin + '/openid/token', {
            method: 'POST',
            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
            body: new URLSearchParams({
                grant_type: 'authorization_code',
                code: code,
                client_id: clientId,
                redirect_uri: window.location.origin + '/authcallback.html',
                code_verifier: codeVerifier
            })
        });

        const data = await response.json();

        if (!response.ok || !data.access_token) {
            console.error('Token exchange failed', data);
            window.location.replace('/');
            return;
        }

        localStorage.token = data.access_token;
    } catch (e) {
        console.error('Token exchange error', e);
        window.location.replace('/');
        return;
    }

    let redirectTo = '/';
    if (localStorage.getItem('redirectToHash')) {
        redirectTo += localStorage.getItem('redirectToHash');
        localStorage.removeItem('redirectToHash');
    }

    window.location.replace(redirectTo);
})();

</script>
redirectTo is not a const 2025-08-10 15:53:05 +02:00			`<!DOCTYPE html>`

oidc dashboard login 2023-06-02 20:47:36 +02:00			`<script>`

webadmin: remove the implicit flow we now use pkce . main advantage is that we don't see the access token in the url anymore. in pkce, the auth code by itself is useless. need the verifier. fixes #844 2026-03-14 22:06:17 +05:30			`(async function () {`
			`const params = new URLSearchParams(window.location.search);`
			`const code = params.get('code');`
oidc dashboard login 2023-06-02 20:47:36 +02:00
webadmin: remove the implicit flow we now use pkce . main advantage is that we don't see the access token in the url anymore. in pkce, the auth code by itself is useless. need the verifier. fixes #844 2026-03-14 22:06:17 +05:30			`if (!code) {`
			`console.error('No authorization code in callback URL');`
			`window.location.replace('/');`
			`return;`
			`}`
oidc dashboard login 2023-06-02 20:47:36 +02:00
webadmin: remove the implicit flow we now use pkce . main advantage is that we don't see the access token in the url anymore. in pkce, the auth code by itself is useless. need the verifier. fixes #844 2026-03-14 22:06:17 +05:30			`const codeVerifier = sessionStorage.getItem('pkce_code_verifier');`
			`const clientId = sessionStorage.getItem('pkce_client_id') \|\| 'cid-webadmin';`
			`const apiOrigin = sessionStorage.getItem('pkce_api_origin') \|\| '';`
oidc: remove authcallback.html from history this way atleast token goes away from history. part of #844 2025-07-10 14:01:45 +02:00
webadmin: remove the implicit flow we now use pkce . main advantage is that we don't see the access token in the url anymore. in pkce, the auth code by itself is useless. need the verifier. fixes #844 2026-03-14 22:06:17 +05:30			`sessionStorage.removeItem('pkce_code_verifier');`
			`sessionStorage.removeItem('pkce_client_id');`
			`sessionStorage.removeItem('pkce_api_origin');`

			`try {`
			`const response = await fetch(apiOrigin + '/openid/token', {`
			`method: 'POST',`
			`headers: { 'Content-Type': 'application/x-www-form-urlencoded' },`
			`body: new URLSearchParams({`
			`grant_type: 'authorization_code',`
			`code: code,`
			`client_id: clientId,`
			`redirect_uri: window.location.origin + '/authcallback.html',`
			`code_verifier: codeVerifier`
			`})`
			`});`

			`const data = await response.json();`

			`if (!response.ok \|\| !data.access_token) {`
			`console.error('Token exchange failed', data);`
			`window.location.replace('/');`
			`return;`
			`}`

			`localStorage.token = data.access_token;`
			`} catch (e) {`
			`console.error('Token exchange error', e);`
			`window.location.replace('/');`
			`return;`
			`}`

			`let redirectTo = '/';`
			`if (localStorage.getItem('redirectToHash')) {`
			`redirectTo += localStorage.getItem('redirectToHash');`
			`localStorage.removeItem('redirectToHash');`
			`}`

			`window.location.replace(redirectTo);`
			`})();`
oidc dashboard login 2023-06-02 20:47:36 +02:00
			`</script>`